The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization‑internal privilege escalation.

The remote MiracleLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2026-210:03 advisory.

    * crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate     (CVE-2025-61729)
      * grafana/grafana/pkg/services/dashboards: Grafana Dashboard Permissions Scope Bypass Enables     Cross?Dashboard Privilege Escalation (CVE-2026-21721)
      * golang: archive/zip: Excessive CPU consumption when building archive index in archive/zip     (CVE-2025-61728)
      * golang: net/url: Memory exhaustion in query parameter parsing in net/url (CVE-2025-61726)
      * crypto/tls: Unexpected session resumption in crypto/tls (CVE-2025-68121)

Tenable has extracted the preceding description block directly from the MiracleLinux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote AlmaLinux 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2026:2914 advisory.

    * crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate     (CVE-2025-61729)
      * grafana/grafana/pkg/services/dashboards: Grafana Dashboard Permissions Scope Bypass Enables     Cross?Dashboard Privilege Escalation (CVE-2026-21721)
      * golang: archive/zip: Excessive CPU consumption when building archive index in archive/zip     (CVE-2025-61728)
      * golang: net/url: Memory exhaustion in query parameter parsing in net/url (CVE-2025-61726)
      * crypto/tls: Unexpected session resumption in crypto/tls (CVE-2025-68121)

Tenable has extracted the preceding description block directly from the AlmaLinux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote AlmaLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2026:2920 advisory.

    * crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate     (CVE-2025-61729)
      * grafana/grafana/pkg/services/dashboards: Grafana Dashboard Permissions Scope Bypass Enables     Cross?Dashboard Privilege Escalation (CVE-2026-21721)
      * golang: archive/zip: Excessive CPU consumption when building archive index in archive/zip     (CVE-2025-61728)
      * golang: net/url: Memory exhaustion in query parameter parsing in net/url (CVE-2025-61726)
      * crypto/tls: Unexpected session resumption in crypto/tls (CVE-2025-68121)

Tenable has extracted the preceding description block directly from the AlmaLinux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2026-2920 advisory.

    - Resolves RHEL-144959: CVE-2026-21721
    - Resolves RHEL-146863: CVE-2025-61726
    - Resolves RHEL-147081: CVE-2025-61729
    - Resolves RHEL-147370: CVE-2025-61728
    - Resolves RHEL-149621: CVE-2025-68121
    - Resolves RHEL-125692: CVE-2025-58183
    - Resolves RHEL-89953: CVE-2025-4123
    - Resolves RHEL-84636: CVE-2025-30204
    - Resolves RHEL-62312: CVE-2024-47875

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:2920 advisory.

    Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB &     OpenTSDB.

    Security Fix(es):

    * crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate     (CVE-2025-61729)

    * grafana/grafana/pkg/services/dashboards: Grafana Dashboard Permissions Scope Bypass Enables     Cross?Dashboard Privilege Escalation (CVE-2026-21721)

    * golang: archive/zip: Excessive CPU consumption when building archive index in archive/zip     (CVE-2025-61728)

    * golang: net/url: Memory exhaustion in query parameter parsing in net/url (CVE-2025-61726)

    * crypto/tls: Unexpected session resumption in crypto/tls (CVE-2025-68121)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2026-2914 advisory.

    - Resolves RHEL-144948: CVE-2026-21721
    - Resolves RHEL-146721: CVE-2025-61726
    - Resolves RHEL-146926: CVE-2025-61729
    - Resolves RHEL-147351: CVE-2025-61728

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:2914 advisory.

    Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB &     OpenTSDB.

    Security Fix(es):

    * crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate     (CVE-2025-61729)

    * grafana/grafana/pkg/services/dashboards: Grafana Dashboard Permissions Scope Bypass Enables     Cross?Dashboard Privilege Escalation (CVE-2026-21721)

    * golang: archive/zip: Excessive CPU consumption when building archive index in archive/zip     (CVE-2025-61728)

    * golang: net/url: Memory exhaustion in query parameter parsing in net/url (CVE-2025-61726)

    * crypto/tls: Unexpected session resumption in crypto/tls (CVE-2025-68121)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Grafana Labs installed on the remote host is affected by a privilege escalation vulnerability as referenced in the CVE-2026-21721 advisory. 

  - The dashboard permissions API does not verify the target dashboard scope and only checks the     dashboards.permissions:* action. As a result, a user who has permission management rights on one     dashboard can read and modify permissions on other dashboards. This is an organization‑internal     privilege escalation. (CVE-2026-21721)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - The dashboard permissions API does not verify the target dashboard scope and only checks the     dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard     can read and modify permissions on other dashboards. This is an organizationinternal privilege     escalation. (CVE-2026-21721)

Note that Nessus relies on the presence of the package as reported by the vendor.

ID	Name	Product	Family	Severity
299683	MiracleLinux 9 : grafana-10.2.6-18.el9_7 (AXSA:2026-210:03)	Nessus	Miracle Linux Local Security Checks	critical
299669	AlmaLinux 10 : grafana (ALSA-2026:2914)	Nessus	Alma Linux Local Security Checks	critical
299606	AlmaLinux 9 : grafana (ALSA-2026:2920)	Nessus	Alma Linux Local Security Checks	critical
299510	Oracle Linux 9 : grafana (ELSA-2026-2920)	Nessus	Oracle Linux Local Security Checks	critical
299501	RHEL 9 : grafana (RHSA-2026:2920)	Nessus	Red Hat Local Security Checks	critical
299482	Oracle Linux 10 : grafana (ELSA-2026-2914)	Nessus	Oracle Linux Local Security Checks	critical
299418	RHEL 10 : grafana (RHSA-2026:2914)	Nessus	Red Hat Local Security Checks	critical
297197	Grafana Labs 10.2.0 < 11.6.9+security-01 / 12.0.0 < 12.0.8+security-01 / 12.1.0 < 12.1.5+security-01 / 12.2.0 < 12.2.3+security-01 / 12.3.0 < 12.3.1+security-01 Privilege Escalation (CVE-2026-21721)	Nessus	Web Servers	high
297049	Linux Distros Unpatched Vulnerability : CVE-2026-21721	Nessus	Misc.	high

Detections

Analytics

CVE-2026-21721

high

Tenable Plugins

critical

critical

critical

critical

critical

critical

critical

high

high