More than 46,000 instances of the open-source monitoring platform Grafana are currently unpatched and vulnerable to an account takeover exploit, according to research from OX Security. The security flaw, tracked as CVE-2025-4123, could allow attackers to execute malicious plugins and hijack user accounts.
The vulnerability, discovered by bug bounty hunter Alvaro Balada, was addressed in a series of security updates released by Grafana Labs on May 21. Unfortunately, over a third of the Grafana instances that are accessible over the internet remain unpatched, posing a significant risk to users.
OX Security’s analysis revealed that there are currently 128,864 Grafana instances exposed online, with 46,506 still operating on versions vulnerable to exploitation. This exposes approximately 36% of public-facing installations to potential attacks. The firm has dubbed the flaw ‘The Grafana Ghost’. Researchers noted that the exploit could be weaponized by employing techniques to redirect users to malicious plugins.
By exploiting this flaw, attackers could execute arbitrary JavaScript code in victims’ browsers, enabling them to hijack user sessions and modify account details with relative ease. Although some protection is offered by the platform’s default Content Security Policy (CSP), vulnerabilities exist due to client-side enforcement limitations. Grafana administrators are advised to update their systems to specific secure versions to mitigate this risk and prevent potential exploitation.