Grafana Labs A.I CyberSecurity Scoring
Grafana Labs
Company Information
Website:https://grafana.com
Employees number:1,772
Number of followers:258,334
NAICS:5112
Industry Type:Software Development
Homepage:grafana.com
Grafana Labs Risk Score (AI oriented)
Between 600 and 649
Grafana LabsSoftware Development
Updated:
19/05/2026
19/05/2026
601/1000
Poor
Caa
Grafana Labs Global Score (TPRM)
xxxx
Grafana LabsSoftware Development
Score locked

Grafana LabsPoor
Current Score
601Caa (POOR)
01000
6 incidents
-32.75 avg impact
Incident timeline with MITRE ATT&CK tactics, techniques, and mitigations.
JULY 2026
606
JUNE 2026
606
MAY 2026
662
Breach
17 May 2026 • Grafana Labs
Grafana: Grafana GitHub Token Breach Led to Codebase Download and Extortion Attempt
Grafana GitHub Breach After Extortion Attempt by CoinbaseCartel
601
MEDIUM-61
GRA1779006227
Grafana Discloses GitHub Breach After Extortion Attempt by CoinbaseCartel
Grafana recently revealed that an unauthorized party gained access to its GitHub environment using a compromised token, allowing the attacker to download the company’s codebase. The incident, discovered "recently," did not expose customer data or disrupt operations, according to Grafana’s statement on X. The company swiftly invalidated the compromised credentials, conducted a forensic investigation, and implemented additional security measures to prevent further unauthorized access.
The attacker attempted to extort Grafana, demanding payment to prevent the stolen data from being published. Grafana refused, citing FBI guidance against ransom payments, which warns that such transactions fail to guarantee data recovery and embolden cybercriminals. The breach has not been linked to a specific threat actor, though reports from Hackmanac and Ransomware.live attribute the attack to CoinbaseCartel, a data extortion group that emerged in September 2025.
CoinbaseCartel, assessed as an offshoot of ShinyHunters, Scattered Spider, and LAPSUS$, specializes in data theft and extortion rather than traditional ransomware. The group has targeted 170 victims across sectors including healthcare, technology, and manufacturing. While Grafana has not disclosed which codebase was accessed, its portfolio includes solutions like Grafana Cloud, a managed observability platform.
The incident follows a recent controversial decision by Instructure, an edtech firm, to pay ShinyHunters after the group threatened to leak terabytes of data from U.S. schools and universities. Grafana has not provided further details on the timeline of the breach or the attacker’s access duration.
INCIDENT DETAILS -
TYPE
MOTIVATION
IMPACT
DATA BREACH
REFERENCES
APRIL 2026
663
Vulnerability
07 Apr 2026 • Grafana Labs
Grafana: GrafanaGhost: Attackers Can Abuse Grafana to Leak Enterprise Data
GrafanaGhost Vulnerability Exposes Enterprise Data via AI Exploitation
659
CRITICAL-4
GRA1775573897
GrafanaGhost Vulnerability Exposes Enterprise Data via AI Exploitation
Researchers at Noma Security have uncovered a critical vulnerability, dubbed GrafanaGhost, in Grafana’s AI components that could allow attackers to bypass security safeguards and exfiltrate sensitive enterprise data without user interaction.
Grafana, an open-source analytics and visualization platform, often integrates with enterprise systems, granting it access to financial metrics, infrastructure logs, customer data, and telemetry. The flaw enables threat actors to exploit the platform’s AI-based features by crafting malicious prompts that trick the system into leaking data to external servers.
### How the Attack Works
1. Initial Access: An attacker targets Grafana’s AI companion by embedding a malicious prompt in an entry log, disguised as a legitimate request.
2. Bypass Safeguards: Using the keyword "intent," the attacker circumvents AI guardrails designed to block image markdown injections.
3. Data Exfiltration: The AI companion is tricked into rendering an external image, sending sensitive data such as internal URLs or stored prompts to the attacker’s server as a URL parameter.
4. Stealth Operation: The exfiltration occurs in the background, making it appear as routine data visualization to security teams.
Noma Security demonstrated that attackers could guess Grafana’s data structure to fake paths and abuse image tags for data theft. While Grafana has protections against external image loading, a flaw in URL validation allowed the bypass.
### Response & Industry Perspective
Grafana patched the vulnerability immediately after being notified. However, experts note that exploitability depends on deployment specifics, such as whether AI features are enabled and egress controls are in place.
- Bradley Smith (BeyondTrust) emphasized that while indirect prompt injection is a known attack vector, its success against hardened Grafana deployments varies.
- Ram Varadarajan (Acalvio) warned that AI adoption has expanded the attack surface, requiring network-level URL blocking and runtime behavioral monitoring to detect malicious AI activity.
The incident underscores the growing risks of AI-driven tools processing untrusted input, reinforcing the need for layered security beyond traditional perimeter defenses.
INCIDENT DETAILS -
TYPE
IMPACT
DATA BREACH
REFERENCES
MARCH 2026
662
FEBRUARY 2026
661
JANUARY 2026
657
DECEMBER 2025
654
NOVEMBER 2025
657
Vulnerability
04 Nov 2025 • Grafana Labs
Grafana Labs
Grafana Enterprise Privilege Escalation Vulnerability (CVE-2025-41115)
652
CRITICAL-5
GRA2792027112125
Grafana Labs disclosed a critical vulnerability (CVE-2025-41115) in its Grafana Enterprise product, enabling privilege escalation or impersonation of administrators when SCIM provisioning is misconfigured. The flaw arises from improper mapping of the `externalId` SCIM attribute to Grafana’s internal `user.uid`, allowing attackers to assign numeric IDs (e.g., `"1"`) to provisioned users, effectively granting them admin-level access. While exploitation requires both `enableSCIM` and `user_sync_enabled` to be active—a feature in Public Preview—the risk is severe due to Grafana’s widespread use across enterprises for data visualization and monitoring.The vulnerability affects versions 12.0.0 to 12.2.1 (excluding OSS and patched Cloud services). Grafana Labs confirmed no active exploitation in its Cloud environment but urged self-managed users to upgrade to versions 12.3.0, 12.2.1, 12.1.3, or 12.0.6 or disable SCIM. The flaw was internally discovered on November 4, patched within 24 hours, and publicly disclosed on November 19. Prior scanning activity for older Grafana flaws (e.g., path traversal) suggests potential reconnaissance for targeting this new vulnerability.Failure to patch could allow attackers to compromise administrative accounts, leading to unauthorized dashboard access, data manipulation, or lateral movement within enterprise networks. Given Grafana’s role in operational analytics, exploitation could disrupt monitoring, alerting, or compliance reporting, with cascading effects on security posture and incident response.
INCIDENT DETAILS -
TYPE
IMPACT
REFERENCES
OCTOBER 2025
656
SEPTEMBER 2025
713
Breach
01 Sep 2025 • Grafana Labs
Grafana Labs: Grafana says stolen GitHub token let hackers steal codebase
Grafana Labs Source Code Stolen in GitHub Breach by CoinbaseCartel Extortion Gang
652
MEDIUM-61
GRA1779114321
Grafana Labs Source Code Stolen in GitHub Breach by CoinbaseCartel Extortion Gang
Grafana Labs, the company behind the widely used open-source analytics and monitoring platform Grafana, confirmed that hackers breached its GitHub environment and downloaded its source code. The attack was carried out using a stolen access token, with no evidence that customer data or personal information was exposed. The company also stated that customer systems remained unaffected.
The breach was claimed by CoinbaseCartel, a relatively new extortion gang that added Grafana to its data leak site (DLS) as leverage for ransom demands. However, no stolen data has been published yet. Grafana, which serves over 7,000 organizations including 70% of Fortune 50 companies refused to pay the ransom, citing FBI guidance that discourages payments to prevent further criminal activity.
Grafana’s forensic investigation traced the breach to compromised credentials, which were subsequently invalidated. The company has implemented additional security measures and plans to release further details after completing its post-incident review.
CoinbaseCartel, active since September 2023, has listed over 100 victims on its extortion portal this year. The gang, believed to include affiliates of ShinyHunters and Lapsus$, gains access through phishing, social engineering, and stolen credentials. Researchers also link the group to the deployment of "shinysp1d3r", an in-memory tool used to encrypt VMware ESXi systems and disable snapshots.
The incident highlights the growing threat of extortion-focused cybercrime groups targeting high-profile tech companies.
INCIDENT DETAILS -
TYPE
MOTIVATION
IMPACT
DATA BREACH
REFERENCES
AUGUST 2025
713
MAY 2025
713
Vulnerability
21 May 2025 • Grafana Labs
Grafana Labs
Grafana Ghost Vulnerability (CVE-2025-4123)
709
CRITICAL-4
GRA600061525
More than 46,000 internet-facing Grafana instances remain unpatched and exposed to a client-side open redirect vulnerability that allows executing a malicious plugin and account takeover. The flaw, tracked as CVE-2025-4123, impacts multiple versions of the open-source platform used for monitoring and visualizing infrastructure and application metrics. Despite security updates released on May 21, a significant number of instances remain vulnerable, posing a risk to user sessions and account credentials.
INCIDENT DETAILS -
TYPE
MOTIVATION
IMPACT
REFERENCES
JANUARY 2025
767
Breach
01 Jan 2025 • Grafana Labs
Grafana: 7-Eleven Data Breach Confirmed After ShinyHunters Ransom Demand
Grafana Source Code Theft in Cyberattack Linked to Coinbase Cartel
708
LOW-59
GRA1779201402
Grafana Confirms Source Code Theft in Cyberattack Linked to Coinbase Cartel
Grafana, the open-source analytics and visualization platform, confirmed a security breach after attackers accessed its GitHub environment using a compromised token. The incident, detected in early 2026, resulted in the theft of source code, though the company stated that no customer or personal data was exposed, and operations remained unaffected.
The attack has been attributed to Coinbase Cartel, a cybercrime group with ties to ShinyHunters, Scattered Spider, and Lapsus$. The threat actors demanded a ransom to prevent the leaked code from being published, but Grafana refused to comply. Coinbase Cartel has been active since 2025, orchestrating a series of high-profile data theft campaigns targeting organizations across multiple sectors.
While the breach did not disrupt Grafana’s services, the incident underscores the persistent threat posed by financially motivated cybercriminal groups leveraging stolen credentials to infiltrate development environments.
INCIDENT DETAILS -
TYPE
MOTIVATION
IMPACT
DATA BREACH
REFERENCES
Frequently Asked Questions
?
What is the current A.I Rankiteo Cyber Score for Grafana Labs ??
What was Grafana Labs's A.I Rankiteo Cyber Score in June 2026 ??
What was Grafana Labs's A.I Rankiteo Cyber Score in May 2026 ??
What was Grafana Labs's A.I Rankiteo Cyber Score in April 2026 ??
What was Grafana Labs's A.I Rankiteo Cyber Score in March 2026 ??
What was Grafana Labs's A.I Rankiteo Cyber Score in February 2026 ??
What was Grafana Labs's A.I Rankiteo Cyber Score in January 2026 ??
What was Grafana Labs's A.I Rankiteo Cyber Score in December 2025 ??
What was Grafana Labs's A.I Rankiteo Cyber Score in November 2025 ??
What was Grafana Labs's A.I Rankiteo Cyber Score in October 2025 ??
What was Grafana Labs's A.I Rankiteo Cyber Score in September 2025 ??
What was Grafana Labs's A.I Rankiteo Cyber Score in August 2025 ??
What is the average per-incident point impact on Grafana Labs's A.I Rankiteo Cyber Score over the past 12 months ??
Where can I access detailed records of all cyber incidents associated with Grafana Labs ??
Where can I find a summary of the A.I Rankiteo Risk Scoring methodology ??
Where can I view Grafana Labs's profile page on Rankiteo ??
How accurate is the A.I Rankiteo Risk Scoring methodology ?