What happened
Grafana's MCP Server trusted a client-supplied X-Grafana-URL header to determine the upstream Grafana instance to call, allowing an attacker to redirect the server's own service-account token to an attacker-controlled endpoint and pivot into SSRF against internal infrastructure.
Why it matters
Grafana is deployed broadly across enterprise observability stacks; exposing its MCP server (used to let AI agents query dashboards/metrics) to unauthenticated token theft and SSRF against cloud metadata endpoints can lead to full cloud account compromise via credential chaining.
Attack vector
An unauthenticated remote attacker supplies a crafted X-Grafana-URL request header to the MCP server, causing it to act as a confused deputy: exfiltrating its own environment-configured Grafana service-account token and enabling SSRF against arbitrary internal services, including cloud metadata endpoints.
Affected systems
Grafana MCP Server (unspecified version range per Grafana advisory)
Mitigation
Apply Grafana's security advisory fix; see grafana.com/security/security-advisories/cve-2026-15583.