CVE-2026-27877
Public dashboards discloses all direct mode datasourcesWhen using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards. No passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as possible to improve your deployments' security.
We have discovered 477 live websites that are affected by CVE-2026-27877.
Affected Software
| Product |  Grafana |
| Category | Analytics |
| Vulnerable Domains | 477 live websites (74% of Grafana install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 57 versions ( 65% of all versions) |
Details
- Published - Mar 27, 2026
- Updated - Apr 9, 2026
CVE References
Website Distribution by Country
Number of websites using CVE-2026-27877 United States | 158 websites |
 Germany | 104 websites |
 France | 51 websites |
 Russia | 24 websites |
 Switzerland | 16 websites |
 China | 12 websites |
 Singapore | 11 websites |
 Netherlands | 10 websites |
 Czech Republic | 7 websites |
Website Distribution by TLD
Number of websites using CVE-2026-27877| .com | 154 websites |
| .net | 52 websites |
| .org | 45 websites |
| .de | 38 websites |
| .ru | 24 websites |
| .ch | 20 websites |
| .eu | 13 websites |
| .io | 11 websites |
| .fr | 9 websites |
| .com.br | 7 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2026-27877
Top websites that are affected by CVE-2026-27877. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| *******.*******.io | France | **,*** | |
| ********.info | France | ***,*** | |
| *******************.com | United States | ***,*** | |
| *******.*******.org | United States | *,***,*** | |
| *******.*********.org | United States | *,***,*** | |
| *******.***.ch | Switzerland | *,***,*** | |
| *******.net | United States | *,***,*** | |
| ******.*******.com | United States | *,***,*** | |
| *******.io | United States | *,***,*** | |
| *********.com | United States | *,***,*** |
FAQ
A total of 477 websites have been identified as vulnerable to CVE-2026-27877, based on global website indexing conducted by WebTechSurvey.
The Grafana is affected by the CVE-2026-27877 vulnerability.
Grafana versions up to 12.4.2 are vulnerable to CVE-2026-27877.
CVE-2026-27877 is resolved in version 12.4.2 of Grafana.