{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-17T21:26:10.146","vulnerabilities":[{"cve":{"id":"CVE-2025-3454","sourceIdentifier":"security@grafana.com","published":"2025-06-02T11:15:22.167","lastModified":"2026-04-15T00:35:42.020","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"This vulnerability in Grafana's datasource proxy API allows authorization checks to be bypassed by adding an extra slash character in the URL path.\n\nUsers with minimal permissions could gain unauthorized read access to GET endpoints in Alertmanager and Prometheus datasources.\n\nThe issue primarily affects datasources that implement route-specific permissions, including Alertmanager and certain Prometheus-based datasources."},{"lang":"es","value":"Esta vulnerabilidad en la API de proxy de origen de datos de Grafana permite omitir las comprobaciones de autorización añadiendo una barra diagonal adicional en la ruta URL. Los usuarios con permisos mínimos podrían obtener acceso de lectura no autorizado a los endpoints GET en los orígenes de datos de Alertmanager y Prometheus. El problema afecta principalmente a los orígenes de datos que implementan permisos específicos de ruta, como Alertmanager y algunos orígenes de datos basados en Prometheus."}],"metrics":{"cvssMetricV31":[{"source":"security@grafana.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N","baseScore":5.0,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.1,"impactScore":1.4}]},"weaknesses":[{"source":"security@grafana.com","type":"Secondary","description":[{"lang":"en","value":"CWE-285"}]}],"references":[{"url":"https://grafana.com/security/security-advisories/cve-2025-3454/","source":"security@grafana.com"}]}}]}