A newly discovered cross-site scripting (XSS) vulnerability in Grafana — a widely used open-source analytics and visualization platform for developers — has put thousands of servers at risk of complete account takeover.
According to an OX Security analysis, the critical vulnerability, dubbed “Grafana Ghost,” exposes unpatched systems to client-side open-redirect and cross-site scripting attacks.
“The vulnerability is a chain of exploits, beginning with a malicious link sent to the victim,” OX researchers said in a blog post. “Even Grafana servers not directly connected to the internet are at risk, due to the potential for blind attacks that exploit the same weakness.”
Researchers warned that a compromised Grafana admin account could have serious consequences, including full access to internal metrics and dashboards, control over user accounts, and potential disruption of operations.
About 47,000 instances are still at risk
The security flaw was first discovered in May 2025 by Alvaro Balada in a bug bounty program and was disclosed by Grafana as a one-day vulnerability.
Over a month from then, OX Security reports that 36% of public-facing Grafana instances–individual deployments or installations of Grafana–are still vulnerable. Based on a Shodan query code shared by OX Security, the CSO team verified that the total number of vulnerable instances was 46,867, approximately 35.8% of the 130,861 total active instances the team identified at the time of writing this article.
Even more are likely affected behind firewalls or in segmented networks, according to the post.
“While talking about a high percentage of publicly available Grafana servers, the vulnerability also affects Grafana instances running locally by crafting a payload that takes advantage of the locally used domain name and port for the local service,” the researchers added. Working exploits for both public-facing as well as local instances were shared in the post.
According to a Grafana advisory, the vulnerability was fixed in v10.4.18+security-01, v11.2.9+security-01, v11.3.6+security-01, v11.4.4+security-01, v11.5.4+security-01, v11.6.1+security-01, and v12.0.0+security-01 versions.
From open-redirect to plugin-powered takeover
Based on the PoC shared by OX Security, the exploit leverages a clever combo of client-side path traversal and open-redirect mechanics in Grafana’s staticHandler, the component responsible for serving static files like HTML, CSS, JavaScript, and images from the server to the user’s browser.
A potential attack can have a crafted URL sent to the victim, which takes them to a malicious domain. Once there, users are tricked into loading an unsigned, rogue Grafana plugin without the attacker requiring any editor or admin rights.
Once the plugin loads, it runs attacker-controlled JavaScripts in the victim’s browser, potentially leading to session hijacks, credential theft, creation of admin logins, and modification of dashboards.
Additionally, a server-side request forgery (SSRF) escalation for full-read abuse is possible. “This vulnerability does not require editor permissions, and if anonymous access is enabled, the XSS will work. If the Grafana Image Renderer plugin is installed, it is possible to exploit the open redirect to achieve a full read SSRF,” the Grafana advisory added. Upgrading to fixed Grafana versions is recommended to completely mitigate the issue against N-day attacks.