CVE-2026-15583
HIGH
NVD
CVSS Score
8.6
Severity
HIGH
Published
Jul 15, 2026
Vendor
unknown
Description
A confused-deputy flaw in Grafana MCP Server allows an unauthenticated remote attacker to exfiltrate the server's environment-configured Grafana service-account token by supplying a crafted X-Grafana-URL request header. This also enables SSRF against arbitrary internal services, including cloud metadata endpoints.