CVE-2025-4123 is a 1-day vulnerability first disclosed in May 2025 by Alvaro Balada.

The vulnerability is a chain of exploits, beginning with a malicious link sent to the victim. When clicked, the link makes Grafana use an external malicious plugin hosted on the attacker’s server.

This malicious plugin is capable of running any code on behalf of the user, in our particular case, the code running leads to changing the victim’s Grafana username and login email to values controlled by the attacker or can redirect to internal services. Once the email is changed, the attacker can use it to reset the victim’s password and gain access to their Grafana account.