{"id":"CVE-2026-21725","details":"A time-of-create-to-time-of-use (TOCTOU) vulnerability lets recently deleted-then-recreated data sources be re-deleted without permission to do so.\n\nThis requires several very stringent conditions to be met:\n\n- The attacker must have admin access to the specific datasource prior to its first deletion.\n- Upon deletion, all steps within the attack must happen within the next 30 seconds and on the same pod of Grafana.\n- The attacker must delete the datasource, then someone must recreate it.\n- The new datasource must not have the attacker as an admin.\n- The new datasource must have the same UID as the prior datasource. These are randomised by default.\n- The datasource can now be re-deleted by the attacker.\n- Once 30 seconds are up, the attack is spent and cannot be repeated.\n- No datasource with any other UID can be attacked.","aliases":["BIT-grafana-2026-21725"],"modified":"2026-04-10T05:38:33.828283Z","published":"2026-02-25T13:16:05.240Z","related":["CGA-wc22-f84p-j8f7"],"references":[{"type":"ADVISORY","url":"https://grafana.com/security/security-advisories/cve-2026-21725"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/grafana/grafana","events":[{"introduced":"277ef258d4b9a5acdf2932347c6a4ca72d739b28"},{"fixed":"46a02dc12a085445ab105b72fa159248f7d1dc9d"}],"database_specific":{"versions":[{"introduced":"11.0.0"},{"fixed":"12.4.1"}]}}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-21725.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N"}]}