File 0005-Add-dashboards-scope-check.patch of Package grafana
From fa863c3a9e2503411ff547656105046e487fcd8f Mon Sep 17 00:00:00 2001
From: Mariell Hoversholm <mariell@mardroemmar.dev>
Date: Tue, 27 Jan 2026 09:18:01 +0100
Subject: [PATCH] API: add missing scope check on dashboards
Applies security patch `main/624-202601021105.patch`.
Fixes: CVE-2026-21721
Co-Authored-By: Jo Garnier <git@jguer.space>
---
pkg/api/api.go | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/pkg/api/api.go b/pkg/api/api.go
index 61ced28f2764e..34e1c521c4dd1 100644
--- a/pkg/api/api.go
+++ b/pkg/api/api.go
@@ -469,6 +469,7 @@ func (hs *HTTPServer) registerRoutes() {
}
dashboardRoute.Group("/uid/:uid", func(dashUidRoute routing.RouteRegister) {
+ dashUIDScope := dashboards.ScopeDashboardsProvider.GetResourceScopeUID(ac.Parameter(":uid"))
dashUidRoute.Get("/versions", authorize(ac.EvalPermission(dashboards.ActionDashboardsWrite)), routing.Wrap(hs.GetDashboardVersions))
dashUidRoute.Post("/restore", authorize(ac.EvalPermission(dashboards.ActionDashboardsWrite)), routing.Wrap(hs.RestoreDashboardVersion))
dashUidRoute.Get("/versions/:id", authorize(ac.EvalPermission(dashboards.ActionDashboardsWrite)), routing.Wrap(hs.GetDashboardVersion))
@@ -479,8 +480,8 @@ func (hs *HTTPServer) registerRoutes() {
}
dashUidRoute.Group("/permissions", func(dashboardPermissionRoute routing.RouteRegister) {
- dashboardPermissionRoute.Get("/", authorize(ac.EvalPermission(dashboards.ActionDashboardsPermissionsRead)), routing.Wrap(hs.GetDashboardPermissionList))
- dashboardPermissionRoute.Post("/", authorize(ac.EvalPermission(dashboards.ActionDashboardsPermissionsWrite)), routing.Wrap(hs.UpdateDashboardPermissions))
+ dashboardPermissionRoute.Get("/", authorize(ac.EvalPermission(dashboards.ActionDashboardsPermissionsRead, dashUIDScope)), routing.Wrap(hs.GetDashboardPermissionList))
+ dashboardPermissionRoute.Post("/", authorize(ac.EvalPermission(dashboards.ActionDashboardsPermissionsWrite, dashUIDScope)), routing.Wrap(hs.UpdateDashboardPermissions))
})
})
@@ -495,13 +496,14 @@ func (hs *HTTPServer) registerRoutes() {
// Deprecated: use /uid/:uid API instead.
dashboardRoute.Group("/id/:dashboardId", func(dashIdRoute routing.RouteRegister) {
+ dashIDScope := dashboards.ScopeDashboardsProvider.GetResourceScope(ac.Parameter(":dashboardId"))
dashIdRoute.Get("/versions", authorize(ac.EvalPermission(dashboards.ActionDashboardsWrite)), routing.Wrap(hs.GetDashboardVersions))
dashIdRoute.Get("/versions/:id", authorize(ac.EvalPermission(dashboards.ActionDashboardsWrite)), routing.Wrap(hs.GetDashboardVersion))
dashIdRoute.Post("/restore", authorize(ac.EvalPermission(dashboards.ActionDashboardsWrite)), routing.Wrap(hs.RestoreDashboardVersion))
dashIdRoute.Group("/permissions", func(dashboardPermissionRoute routing.RouteRegister) {
- dashboardPermissionRoute.Get("/", authorize(ac.EvalPermission(dashboards.ActionDashboardsPermissionsRead)), routing.Wrap(hs.GetDashboardPermissionList))
- dashboardPermissionRoute.Post("/", authorize(ac.EvalPermission(dashboards.ActionDashboardsPermissionsWrite)), routing.Wrap(hs.UpdateDashboardPermissions))
+ dashboardPermissionRoute.Get("/", authorize(ac.EvalPermission(dashboards.ActionDashboardsPermissionsRead, dashIDScope)), routing.Wrap(hs.GetDashboardPermissionList))
+ dashboardPermissionRoute.Post("/", authorize(ac.EvalPermission(dashboards.ActionDashboardsPermissionsWrite, dashIDScope)), routing.Wrap(hs.UpdateDashboardPermissions))
})
})
})