Grafana 7.5.11 and 8.1.6 released with critical security fix

Grafana 7.5.11 and 8.1.6 have been released with a critical security fix addressing a vulnerability identified in all Grafana versions from 2.0.1 to 8.1.5, known as CVE-2021-39226, which allowed unauthenticated and authenticated users to view and delete snapshots using specific paths. This vulnerability was reported on September 15, 2021, and was mitigated on Grafana Cloud by September 16. Grafana Enterprise customers received updated binaries on September 28, ahead of the public release on October 5. The patch ensures that all users can secure their instances against this critical issue, and users are encouraged to upgrade to version 8.1.6 or implement workarounds by blocking specific paths if upgrading is not feasible. The severity of the vulnerability was escalated from medium to critical due to the potential for data enumeration and loss, but no exploits were found during an audit of Grafana Cloud instances. Users are advised to report any security vulnerabilities to Grafana Labs securely, and updates on security fixes are available via the Security Announcements on the community site.