Top/Articles/Flaw in Grafana's AI connector 'mcp-grafana' leaks credentials (CVE-2026-15583): update to v0.17.2 now
mcp-grafana-cve-cover-en

Flaw in Grafana's AI connector 'mcp-grafana' leaks credentials (CVE-2026-15583): update to v0.17.2 now

A serious flaw, CVE-2026-15583, has been found in mcp-grafana, the connector that lets AI assistants operate the monitoring tool Grafana. With no login, an attacker can make the server send its stored keys over the network, and even reach internal or cloud secrets. A fix, v0.17.2, is out. We explain what happens and whether your setup is at risk.

NewsPublished July 15, 2026 Updated today
Table of contents
Key takeaways

A serious flaw, CVE-2026-15583, has been found in mcp-grafana, the connector that lets AI assistants operate the monitoring tool Grafana. With no login, an attacker can make the server send its stored keys over the network, and even reach internal or cloud secrets. A fix, v0.17.2, is out. We explain what happens and whether your setup is at risk.

A serious flaw that can leak stored credentials wholesale has been found in "mcp-grafana," the connector that lets AI assistants operate the monitoring tool Grafana. It was published by the U.S. vulnerability database (NVD) on July 15, 2026, is tracked as CVE-2026-15583, and is rated 8.6 out of 10 (High).

What makes it scary is that no login is needed and it can be hit remotely over the network. With a single crafted request, an attacker can make the server send its stored monitoring credentials—the service-account token—straight to the attacker's own machine. The same hole can also be used as a stepping stone to reach internal services or steal secrets from cloud metadata endpoints.

Grafana is a monitoring tool used by companies worldwide to visualize the state of servers and apps as graphs. mcp-grafana is the bridge that connects an AI assistant like ChatGPT or Claude to Grafana, so you can ask "is the server overloaded right now?" or "are errors climbing?" in plain language. A fix is already available: just update to the patched v0.17.2 (released July 13, 2026) or later. Here is what happens, and whether your setup is actually at risk.

Vulnerability overview

CVE-2026-15583: spoof the destination, walk off with the key

This is what is technically called a confused deputy problem. A privileged, legitimate program is talked into using its own authority on behalf of an attacker, ending up as an accomplice—a classic trap. mcp-grafana has a legitimate multi-organization feature that lets a request choose which Grafana to route to, via the X-Grafana-URL field. The catch: if an attacker rewrites that destination to their own server's address, mcp-grafana forwards the credentials meant for Grafana straight to the attacker's server instead.

ItemDetail
IDCVE-2026-15583
Affected softwaremcp-grafana
(Grafana's official AI connector server)
Affected versionsAll versions up to 0.17.1
Flaw typeConfused deputy /
Server-Side Request Forgery (SSRF)
SeverityCVSS v3.1: 8.6 (High)
Attack prerequisiteNo login needed;
exploitable remotely over the network
Possible impactCredential theft;
probing internal services and cloud data
FixUpdate to v0.17.2 or later

The "credentials (service-account token)" is the master key mcp-grafana is given to access Grafana. If that key is stolen, an attacker can reach your Grafana with legitimate privileges. Monitoring dashboards gather server configurations, internal IP addresses, alert settings, and sometimes even the credentials of connected systems—so leaking a single key can expose an organization's inner workings. A severity of 8.6 is on the heavier end for issues reported in Grafana or AI-connector tools.

How the fix unfolded

The mcp-grafana team had been hardening defenses even before the CVE went public. A July 7 release closed off a different network-based attack, and a July 13 release implemented the core fix here—pinning where credentials are allowed to be sent. The issue was formally assigned a number and widely disclosed on July 15.

← Swipe to move

Is your setup at risk? (quick guide)

Not everyone faces the same risk. mcp-grafana can be run in several ways (transport modes), and the dangerous case is when it is run open to the network. In "stdio mode" (a local launch wired directly to the AI app) that runs only inside your own machine, outside requests cannot be injected, so this attack does not directly succeed. Check your situation in the table below.

Your situationRiskWhat to do
Running v0.17.2
or later
PatchedNo further action
HTTP/SSE mode,
open to the internet
Highest risk
(remote key theft)
Update to v0.17.2 now
HTTP mode on an
internal network
Abusable from
the inside
Update + restrict callers
stdio mode,
local only
Low direct riskUpdate anyway
Not sure of
the version
UnknownCheck version, then update

You can confirm your version from the mcp-grafana releases list and your launch config. Connecting Grafana to an AI assistant is described in the official docs, and a common blind spot is a server someone on the team spun up for testing and left running. Even if you don't use it yourself, it's worth checking once whether a teammate has one running.

Who would exploit this, and how

This flaw lands on organizations that run mcp-grafana reachable over the network. Trying to share an AI assistant across several internal teams by having mcp-grafana listen over HTTP is exactly the kind of setup that becomes a target.

The people who go after it are anyone who can reach the server's front door and send a crafted request without logging in. If it is exposed straight to the internet, that means anyone in the world; even on an internal network, an attacker who has already slipped inside via other malware, or an insider with access, qualifies. Almost no special prerequisites are needed—the awkward part is that "throw one request with a rewritten destination" is enough.

What the attacker does is simple. Rewrite the request's destination to a server they control, send it, and mcp-grafana hands the Grafana master key it holds straight over to the attacker's server. On top of that, aiming the destination at "another internal system" or "the cloud's internal endpoint that hands out configuration data" turns mcp-grafana into a stepping stone for peeking at internal services that should never be reachable from outside. This is called Server-Side Request Forgery (SSRF), and once a cloud's temporary credentials are pulled, the blast radius grows fast.

The damage compounds in two stages. First, once the monitoring master key changes hands, the attacker walks into your Grafana wearing a legitimate user's face and reads the internals—server configs, internal addresses, alert settings. Second, combining that intel with SSRF gives a launch point toward the monitored infrastructure itself. Behind the convenience of letting AI handle monitoring, the connector can become the doorway into an organization's entire infrastructure—that is the heart of this issue. Mechanically, it sits in the same family as the credential theft in the "mcp-server-kubernetes" AI connector flaw and the destination spoofing in the Mastodon cloud-credential theft case.

How it works, technically

mcp-grafana is designed so one instance can serve multiple organizations or tenants, taking the target Grafana's URL and auth token from request headers. Headers like X-Grafana-URL and X-Grafana-Service-Account-Token are provided, falling back to environment variables (values set at server startup) when absent. This itself is the legitimate multi-organization support, built for convenience.

The problem is that the destination URL could be set freely from outside, while the credentials sent to that destination stayed the strong key held by the server. When an attacker points X-Grafana-URL at their own server, mcp-grafana dutifully ships the environment-configured service-account token (plus the deprecated API key, basic auth, and extra headers) to that attacker's server. A program with legitimate privileges exercises those privileges at an outsider's command—that is why it is called a "confused deputy." The same hole enables SSRF (CWE-918) by aiming the destination at internal addresses or a cloud's metadata endpoint.

The patched v0.17.2 changed this so that credentials configured via environment variables are only ever sent to the Grafana URL configured via environment variables. Even if a header specifies a different URL, the server's strong key no longer tags along. The prior v0.17.1 also added defenses against DNS rebinding (swapping the destination mid-connection), so a network-exposed MCP server got hardened twice in quick succession. The MCP mechanism that connects AI to tools is being adopted fast, but this shape—"give the connector strong privileges and then open it up"—keeps causing trouble on other MCP servers too, such as the unauthenticated intrusion in mcp-pinot. Vetting the safety of the components you depend on is essential from an OSS supply-chain standpoint too.

What to do now

The core response is clear. Done in order, it fully closes the hole.

First, update mcp-grafana to v0.17.2 or later. This is the root fix—get the latest build from the official releases. Second, do not place the MCP server where just anyone can reach it. Avoid exposing it directly to the internet, and narrow the set of callers to only those who need it. Third, restrict outbound traffic. Using a firewall to block traffic to a cloud's config endpoint (the special internal address) and to unexpected external destinations means that even if some hole remains, data exfiltration is stopped.

On top of that, consider acting as if the key already leaked. If there was any period when you ran it exposed to the network before updating, it is safest to rotate—reissue—the Grafana service-account token. The attack takes just a single request that leaves little trace, so "no sign of an attack" does not equal "safe." Connectors trusted with monitoring tend to hold strong privileges, and the damage when they are breached is large. When you build a setup that lets AI touch infrastructure, take this as a cue to revisit the design so the connector holds only the minimum privileges it truly needs.

Sources

avatar-m-1

Makoto Horikawa

Backend Engineer / AWS / Django