Stats Digest Feeds
โ† Back to all CVEs

CVE-2026-15583

HIGH NVD
CVSS Score 8.6
Severity HIGH
Published Jul 15, 2026
Vendor unknown

Description

A confused-deputy flaw in Grafana MCP Server allows an unauthenticated remote attacker to exfiltrate the server's environment-configured Grafana service-account token by supplying a crafted X-Grafana-URL request header. This also enables SSRF against arbitrary internal services, including cloud metadata endpoints.

References