🚨 46,000+ Grafana Instances Exposed to Critical Account Takeover Vulnerability (CVE-2024-36045)

Hack & Fix June 15, 2025

On June 13, 2024, a critical vulnerability in Grafana, the popular open-source analytics and monitoring platform, was publicly disclosed. Tracked as CVE-2024-36045, the flaw enables attackers to take over user accounts — including admins — via a broken OAuth implementation, with no user interaction required.

More than 46,000 vulnerable Grafana instances were discovered publicly accessible at the time of the disclosure.

🧨 What’s at Risk?

This vulnerability affects the following versions:

10.0.0 to 10.0.11
10.1.0 to 10.1.9
10.2.0 to 10.2.8
10.3.0 to 10.3.5
10.4.0 to 10.4.1

If exploited, attackers can:

Impersonate legitimate users, including admin accounts
Access or modify sensitive dashboards and alert configs
Escalate privileges or move laterally inside your environment
Compromise your observability pipeline and use it as a foothold

This is a high-severity vulnerability (CVSS 8.1) with real-world impact — and threat actors are actively scanning for exposed instances.

🛠️ What You Need to Do

Grafana Labs has released patched versions:

10.0.12
10.1.10
10.2.9
10.3.6
10.4.2

✅ Immediate action:

Upgrade Grafana to the latest patched version
Review your OAuth setup and remove unused providers
Audit user roles and tokens
Restrict public access to internal dashboards

🔐 This Is Why Regular Pentesting Matters

Dashboards and monitoring tools are often deployed with default settings, minimal access control, or without full visibility into their attack surface. Vulnerabilities like CVE-2024-36045 can stay hidden for months — until it's too late.

At Hack&Fix, we help companies identify and eliminate these hidden risks before attackers do.

We provide:

🔎 Penetration testing for applications, dashboards, APIs, and internal tooling
🧱 Security hardening & misconfiguration reviews
🚨 Real-world exploit simulation (Red Team & Adversary Emulation)
📊 Detailed reporting and actionable remediation guidance