The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has included Grafana CVE-2021-43798 in its Known Exploited Vulnerabilities (KEV) catalog in October 2025, signalling to organizations that this long-standing security flaw continues to pose a real-world threat.
Background: What is CVE-2021-43798?
CVE-2021-43798 is a directory traversal vulnerability affecting Grafana—one of the industry’s most widely deployed open-source observability platforms. Versions 8.0.0-beta1 through 8.3.0 are at risk, allowing attackers to craft HTTP requests that exploit the /public/plugins/<plugin-id>/ path. With no authentication required, attackers can access files outside of allowed directories, including sensitive system and application data.
Attack Impact and Exploitation Trends
- Immediate risks: Attackers exploit this vulnerability to read sensitive files such as
/etc/passwd,grafana.ini, OAuth tokens, or Grafana’s internal SQLite database containing user and datasource details. - Exposed environments: Internet-facing Grafana servers remain the most vulnerable, as attacks do not require authentication or privilege escalation.
- Real-world exploitation: Since disclosure in December 2021, there’s been persistent internet scanning and exploitation, with threat actors targeting critical infrastructure, cloud workloads, and enterprise environments. Public exploit code remains widely available.
Why Did CISA Add This CVE to KEV?
The KEV catalog prioritizes vulnerabilities with confirmed, observed exploitation in the wild. CISA’s inclusion of CVE-2021-43798 requires federal agencies (and signals to private orgs) to immediately remediate exposed deployments, as the vulnerability is actively used in campaigns targeting cloud, industrial, and government systems.
Remediation Guidance
- Patch Now: Immediately upgrade Grafana to version 8.3.1, 8.2.7, 8.1.8, or 8.0.7.
- Validate exposure: Audit Grafana endpoints for public exposure and restrict access where possible[10].
- Hardening: Apply additional OS or Kubernetes controls (e.g., AppArmor, eBPF, strong network segmentation) for isolated workloads.
- Confirm removal: Ensure vulnerable plugin paths are not accessible and monitor for unauthorized access attempts during or after patch cycles.
