CVE-2026-15583
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
15/07/2026
Last modified:
15/07/2026
Description
A confused-deputy flaw in Grafana MCP Server allows an unauthenticated remote attacker to exfiltrate the server's environment-configured Grafana service-account token by supplying a crafted X-Grafana-URL request header. This also enables SSRF against arbitrary internal services, including cloud metadata endpoints.
Impact
Base Score 3.x
8.60
Severity 3.x
HIGH



