CVE-2026-8595: Grafana: stored XSS via malicious TableNG field name
MEDIUMA user who only has Editor-level access to Grafana can plant a malicious field name inside a TableNG panel that executes arbitrary JavaScript in the browser of anyone who later opens that dashboard, including admins. This is a classic stored cross-site scripting flaw (CWE-79) rated medium (CVSS 6.8) rather than critical because it needs a low-privilege authenticated Editor account and requires a victim to actually view the crafted dashboard; there is no EPSS score, no CISA KEV listing, no public exploit code, and no Nuclei template observed, so there is no evidence of active or automated exploitation today. The real risk is privilege escalation and lateral movement inside monitoring infrastructure: Grafana instances frequently sit in front of production and ML-ops dashboards with session cookies, API keys, or SSO tokens exposed to whoever views them, so a compromised or malicious Editor account can pivot to admin-level control or exfiltrate credentials from higher-privileged viewers. Because our package risk model shows 0/100 and downstream dependents are unlisted for Grafana, treat this as an infrastructure-hygiene item rather than a supply-chain one: patch to the fixed Grafana release referenced in the vendor advisory, restrict who can hold Editor role, and review Content-Security-Policy / dashboard-sharing settings as a compensating control until patched.
What is the risk?
Medium severity (CVSS 6.8, AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L). Exploitability is moderate: the attacker must already hold an authenticated Editor role (PR:L) and a victim must open the crafted dashboard (UI:R), which limits mass exploitation but makes insider-threat and compromised-account scenarios realistic. No EPSS score, no CISA KEV entry, no public PoC, and no Nuclei template were found, indicating no known active exploitation as of publication. Impact is high on confidentiality (C:H) because stored XSS in a dashboard viewed by admins can lead to session/token theft and account takeover, with lower integrity/availability impact (I:L/A:L). Overall this is a real but bounded risk — most damaging in multi-tenant or shared Grafana deployments where Editor accounts are broadly distributed or where dashboards monitor sensitive AI/ML pipelines.
How does the attack unfold?
How severe is it?
What is the attack surface?
What should I do?
1 step-
1) Patch to the Grafana version that fixes CVE-2026-8595 per the vendor advisory (grafana.com/security/security-advisories/cve-2026-8595) as soon as it is validated in a non-prod environment. 2) Until patched, audit and minimize who holds the Editor role — treat Editor as equivalent to a semi-trusted insider given this flaw. 3) Enforce a strict Content-Security-Policy on the Grafana instance to reduce the blast radius of any injected script (disallow inline script execution where possible). 4) Restrict or monitor use of TableNG panels and custom field names in dashboards created by non-admin users; consider dashboard review/approval workflows for shared or public dashboards. 5) Detection: review Grafana audit logs for dashboard creation/edits containing unusual field names with HTML/script-like content (e.g.
<script,onerror=,javascript:), and monitor for anomalous outbound requests from admin browser sessions shortly after viewing shared dashboards.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-8595?
A user who only has Editor-level access to Grafana can plant a malicious field name inside a TableNG panel that executes arbitrary JavaScript in the browser of anyone who later opens that dashboard, including admins. This is a classic stored cross-site scripting flaw (CWE-79) rated medium (CVSS 6.8) rather than critical because it needs a low-privilege authenticated Editor account and requires a victim to actually view the crafted dashboard; there is no EPSS score, no CISA KEV listing, no public exploit code, and no Nuclei template observed, so there is no evidence of active or automated exploitation today. The real risk is privilege escalation and lateral movement inside monitoring infrastructure: Grafana instances frequently sit in front of production and ML-ops dashboards with session cookies, API keys, or SSO tokens exposed to whoever views them, so a compromised or malicious Editor account can pivot to admin-level control or exfiltrate credentials from higher-privileged viewers. Because our package risk model shows 0/100 and downstream dependents are unlisted for Grafana, treat this as an infrastructure-hygiene item rather than a supply-chain one: patch to the fixed Grafana release referenced in the vendor advisory, restrict who can hold Editor role, and review Content-Security-Policy / dashboard-sharing settings as a compensating control until patched.
Is CVE-2026-8595 actively exploited?
No confirmed active exploitation of CVE-2026-8595 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-8595?
1) Patch to the Grafana version that fixes CVE-2026-8595 per the vendor advisory (grafana.com/security/security-advisories/cve-2026-8595) as soon as it is validated in a non-prod environment. 2) Until patched, audit and minimize who holds the Editor role — treat Editor as equivalent to a semi-trusted insider given this flaw. 3) Enforce a strict Content-Security-Policy on the Grafana instance to reduce the blast radius of any injected script (disallow inline script execution where possible). 4) Restrict or monitor use of TableNG panels and custom field names in dashboards created by non-admin users; consider dashboard review/approval workflows for shared or public dashboards. 5) Detection: review Grafana audit logs for dashboard creation/edits containing unusual field names with HTML/script-like content (e.g. `<script`, `onerror=`, `javascript:`), and monitor for anomalous outbound requests from admin browser sessions shortly after viewing shared dashboards.
What systems are affected by CVE-2026-8595?
This vulnerability affects the following AI/ML architecture patterns: model serving, MLOps monitoring dashboards, observability pipelines for AI/ML infrastructure.
What is the CVSS score for CVE-2026-8595?
CVE-2026-8595 has a CVSS v3.1 base score of 6.8 (MEDIUM).
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0011 User Execution AML.T0049 Exploit Public-Facing Application Compliance Controls Affected
What are the technical details?
Original Advisory
A user with Editor permissions can craft a dashboard whose table (TableNG) panel contains a malicious field name that executes as a script in the browser of any user who views the dashboard (stored cross-site scripting).
Exploitation Scenario
A contractor or compromised account with Editor permissions on a shared Grafana instance creates a new dashboard tracking, for example, LLM inference latency. Inside a TableNG panel, they set a column field name containing a crafted payload (e.g. an `onerror`/event-handler style string) that Grafana fails to sanitize. The dashboard is shared with the on-call/SRE team or pinned to a team folder. When an admin or higher-privileged engineer opens the dashboard to check model-serving health, the payload executes in their browser session, allowing the attacker to steal the admin's Grafana session cookie or API token, silently create a new admin account, or pivot to modify alerting rules and data source credentials tied to the AI/ML monitoring stack.
Weaknesses (CWE)
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-79 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'): The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
- [Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. Examples of libraries and frameworks that make it easier to generate properly encoded output include Microsoft's Anti-XSS library, the OWASP ESAPI Encoding module, and Apache Wicket.
- [Implementation, Architecture and Design] Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies. For any data that will be output to another web page, especially any data that was received from external inputs, use the appropriate encoding on all non-alphanumeric characters. Parts of the same output document may require different encodings, which will vary depending on whether the output is in the: etc. Note that HTML Entity Encoding is only appropriate for the HTML body. Consult the XSS Prevention Cheat Sheet [REF-724] for more details on the types of encoding and escaping that are needed. HTML body Element attributes (such as src="XYZ") URIs JavaScript sections Casca
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L Timeline
Related Vulnerabilities
CVE-2025-5120 10.0 smolagents: sandbox escape enables unauthenticated RCE
Same attack type: Code Execution CVE-2025-59528 10.0 Flowise: Unauthenticated RCE via MCP config injection
Same attack type: Code Execution CVE-2025-2828 10.0 LangChain RequestsToolkit: SSRF exposes cloud metadata
Same attack type: Auth Bypass CVE-2025-53767 10.0 Azure OpenAI: SSRF EoP, no auth required (CVSS 10)
Same attack type: Privacy Violation CVE-2024-2912 10.0 BentoML: RCE via insecure deserialization (CVSS 10)
Same attack type: Code Execution