CVE-2023-3128

CRITICAL9.4EPSS 1.9%

Grafana vulnerable to Authentication Bypass by Spoofing

Published: 6/22/2023Modified: 3/16/2026

Also known as:GHSA-mpv3-g8m3-3fjcBIT-grafana-2023-3128CGA-3hvm-2h7f-4v6f

Description

Grafana is validating Azure AD accounts based on the email claim. On Azure AD, the profile email field is not unique and can be easily modified. This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app.

Affected packages (2)

Bitnami/grafana>= 6.7.0, < 8.5.27, >= 9.2.0, < 9.2.20, >= 9.3.0, < 9.3.16, >= 9.4.0, < 9.4.13, >= 9.5.0, < 9.5.4
Go/github.com/grafana/grafana>= 9.4.0, < 9.4.13

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

References (8)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-3128
PATCHhttps://github.com/grafana/grafana
WEBhttps://github.com/grafana/bugbounty/security/advisories/GHSA-gxh2-6vvc-rrgp
WEBhttps://github.com/grafana/grafana/blob/69fc4e6bc0be2a82085ab3885c2262a4d49e97d8/CHANGELOG.md
WEBhttps://grafana.com/security/security-advisories/cve-2023-3128
WEBhttps://grafana.com/security/security-advisories/cve-2023-3128/
WEBhttps://security.netapp.com/advisory/ntap-20230714-0004
WEBhttps://security.netapp.com/advisory/ntap-20230714-0004/