CVE-2026-15583 - SSRF (confused deputy) in Grafana MCP Server via X-Grafana-URL header
CVE ID :CVE-2026-15583
Published : July 15, 2026, 8:16 a.m. | 2 hours, 31 minutes ago
Description :A confused-deputy flaw in Grafana MCP Server allows an unauthenticated remote attacker to exfiltrate the server's environment-configured Grafana service-account token by supplying a crafted X-Grafana-URL request header. This also enables SSRF against arbitrary internal services, including cloud metadata endpoints.
Severity: 8.6 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
Published : July 15, 2026, 8:16 a.m. | 2 hours, 31 minutes ago
Description :A confused-deputy flaw in Grafana MCP Server allows an unauthenticated remote attacker to exfiltrate the server's environment-configured Grafana service-account token by supplying a crafted X-Grafana-URL request header. This also enables SSRF against arbitrary internal services, including cloud metadata endpoints.
Severity: 8.6 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...