Authorization Bypass in Grafana Datasource Deletion Key Information Advisory ID: CVE-2026-21725 Published: 2026-02-25 Product: Grafana Severity: Low CVSS Score: 2.6 CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:L Fixed Versions: >=12.4.1 Summary A time-of-create-to-time-of-use (TOCTOU) vulnerability allows recently deleted then recreated data sources to be re-deleted without permission. Conditions The attacker must have admin access to the specific data source before its first deletion. All steps must occur within 30 seconds and on the same Grafana pod. The attacker must delete the data source, then someone must recreate it. The new data source must not have the attacker as an admin. The new data source must have the same UID as the prior one. Once 30 seconds pass, the attack cannot be repeated. No data source with any other UID can be attacked.