Security researchers say a critical Grafana issue could let attackers exfiltrate sensitive enterprise data from AI-powered dashboards without authentication or user interaction. The flaw, dubbed GrafanaGhost, affects environments that use Grafana AI features and can expose financial metrics, infrastructure health data, customer records and operational logs.
KEY FACTS
- Issue GrafanaGhost chains multiple bypasses in application logic and AI guardrails.
- Impact The attack can trigger outbound requests that leak sensitive dashboard data.
- Discovery A technical disclosure from Noma Security says Grafana validated the flaw and shipped a fix.
- Defense Recommended steps include patching, restricting image sources and applying egress controls.
The report says the attack begins by finding an injection point where user-controlled input can be stored and later processed by Grafana AI components. Crafted paths can persist in the system and later be treated as legitimate input.
Researchers then used indirect prompt injection to steer the model into generating requests that include sensitive data. The disclosure says a flaw in URL validation allowed protocol-relative URLs such as //attacker.com to bypass client-side protections against external image loading.
The chain also tries to evade guardrails by inserting keywords such as INTENT into prompts to make the request appear legitimate. Once processed, the system attempts to render an image and sends sensitive data to the attacker’s server.
Not everyone sees the finding as a new class of threat. Bradley Smith, SVP and deputy CISO at BeyondTrust, said the technique is well documented and that the practical exploitability in a hardened Grafana deployment is less clear.
Smith said users should check whether Grafana AI or LLM features are enabled, patch to the latest version, restrict img-src to known domains and apply egress controls. Grafana did not immediately respond to a request for comment.
WHY IT MATTERS
The case highlights how AI features can create new exposure when they process untrusted input inside widely used business tools. If left unpatched or loosely controlled, such systems can turn normal dashboard activity into a path for silent data theft.