CVE Vulnerabilities

CVE-2026-15583

Externally Controlled Reference to a Resource in Another Sphere

Published: Jul 15, 2026 | Modified: Jul 15, 2026
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
RedHat/V2
RedHat/V3
Ubuntu
root.io logo minimus.io logo echo.ai logo

A confused-deputy flaw in Grafana MCP Server allows an unauthenticated remote attacker to exfiltrate the servers environment-configured Grafana service-account token by supplying a crafted X-Grafana-URL request header. This also enables SSRF against arbitrary internal services, including cloud metadata endpoints.

Weakness

The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.

References