http://burnedsignal.com/en/tags/cve/Recent content in CVE on burnedsignalHugoenWed, 08 Apr 2026 00:00:00 +0000http://burnedsignal.com/en/posts/grafana-oss-preauth-ssrf/Wed, 08 Apr 2026 00:00:00 +0000http://burnedsignal.com/en/posts/grafana-oss-preauth-ssrf/<h2 id="tldr">TL;DR</h2> <ul> <li>Grafana OSS ships a <strong>no-op request validator</strong> for the datasource proxy endpoint. It always returns <code>nil</code>. Zero SSRF protection.</li> <li>Combined with two default configurations, this allows <strong>unauthenticated users</strong> to proxy HTTP requests to any internal service reachable from the Grafana server.</li> <li>A Shodan scan of 1,000 random instances found <strong>~7,800 internet-exposed Grafana instances</strong> with anonymous access enabled. Directly exploitable, no credentials required.</li> <li>On EC2 with IMDSv1 enabled, this means <strong>full AWS credential theft with no login</strong>: AccessKeyId, SecretAccessKey, session token.</li> <li>Grafana Enterprise ships a real validator. OSS does not. This is a deliberate product split.</li> <li>Submitted to Grafana&rsquo;s bug bounty program, marked Out of Scope. Tracked as <strong><a href="https://www.cve.org/CVERecord?id=CVE-2026-39104">CVE-2026-39104</a></strong>, assigned by MITRE.</li> </ul> <hr> <h2 id="the-setup">The Setup</h2> <p>Grafana&rsquo;s datasource proxy is a legitimate feature. You configure a datasource (Prometheus, InfluxDB, etc.) with a backend URL, and Grafana proxies queries to it on behalf of dashboard users. This keeps credentials server-side and avoids CORS issues.</p>