Vulnerability  ·  2026-07-17

Grafana MCP Server — Confused-Deputy SSRF and Service-Account Token Exfiltration via X-Grafana-URL Header

VulnerabilityHigh impactGlobalCVE-2026-15583
Grafana's MCP Server trusted a client-supplied X-Grafana-URL header to determine the upstream Grafana instance to call, allowing an attacker to redirect the server's own service-account token to an attacker-controlled endpoint and pivot into SSRF against internal infrastructure.
Grafana is deployed broadly across enterprise observability stacks; exposing its MCP server (used to let AI agents query dashboards/metrics) to unauthenticated token theft and SSRF against cloud metadata endpoints can lead to full cloud account compromise via credential chaining.
An unauthenticated remote attacker supplies a crafted X-Grafana-URL request header to the MCP server, causing it to act as a confused deputy: exfiltrating its own environment-configured Grafana service-account token and enabling SSRF against arbitrary internal services, including cloud metadata endpoints.
Grafana MCP Server (unspecified version range per Grafana advisory)
Apply Grafana's security advisory fix; see grafana.com/security/security-advisories/cve-2026-15583.
Grafana Security Advisory
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →