CVE-2026-21727

---<br /> title: Cross-Tenant Legacy Correlation Disclosure and Deletion<br /> draft: false<br /> hero:<br /> image: /static/img/heros/hero-legal2.svg<br /> content: "# Cross-Tenant Legacy Correlation Disclosure and Deletion"<br /> date: 2026-01-29<br /> product: Grafana<br /> severity: Low<br /> cve: CVE-2026-21727<br /> cvss_score: "3.3"<br /> cvss_vector: "CVSS:3.3/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N"<br /> fixed_versions:<br /> - "&gt;=11.6.11 &gt;=12.0.9 &gt;=12.1.6 &gt;=12.2.4"<br /> ---<br /> A cross-tenant isolation vulnerability was found in Grafana’s Correlations feature affecting legacy correlation records. Due to a backward compatibility condition allowing org_id = 0 records to be returned across organizations, a user with datasource management privileges could read and permanently delete legacy correlation data belonging to another organization. This issue affects correlations created prior to Grafana 10.2 and is fixed in &gt;=11.6.11, &gt;=12.0.9, &gt;=12.1.6, and &gt;=12.2.4.<br /> <br /> Thanks to Gyu-hyeok Lee (g2h) for reporting this vulnerability.