What is CVE-2021-43798?

CVE-2021-43798 is a high-severity vulnerability in Grafana, classified under Path Traversal. CVSS score: 7.5/10. Published 2021-12-07.

How severe is CVE-2021-43798?

High severity. CVSS v3 base score is 7.5 out of 10.

Is CVE-2021-43798 known to be exploited?

Yes. CVE-2021-43798 is listed in the CISA Known Exploited Vulnerabilities catalog (added 2025-10-09), indicating it is being actively exploited. 207 public proof-of-concept repositories are indexed.

Path Traversal in Grafana

CVE-2021-43798

Grafana is an open-source platform for monitoring and observability. Grafana versions 8.0.0-beta1 through 8.3.0 (except for patched versions) iss vulnerable to directory traversal, allowing access to local files. The vulnerable URL path is…

Vulnerability class: Path Traversal (Directory Traversal)

EPSS: 0.944 (100.0th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.5 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N.

Affected products

Grafana — versions >= 8.0.0, < 8.0.7, >= 8.1.0, < 8.1.8, >= 8.2.0, < 8.2.7

Weakness classification (CWE)

CWE-22 — Path Traversal

CISA KEV (Known Exploited Vulnerabilities)

This CVE is on the CISA KEV catalog, added on 2025-10-09. CISA KEV inclusion means CISA has confirmed in-the-wild exploitation; US federal agencies are required to remediate within a published due date.

BOD 22-01 due date: 2025-10-30.

Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Public proof-of-concept exploits

References

github.com/grafana/grafana/security/advisories/GHSA-8pjx-jj86-j47p (x_refsource_CONFIRM)
github.com/grafana/grafana/commit/c798c0e958d15d9cc7f27c72113d572fa58545ce (x_refsource_MISC)
packetstormsecurity.com/files/165198/Grafana-Arbitrary-File-Reading.html (x_refsource_MISC)
grafana.com/blog/2021/12/08/an-update-on-0day-cve-2021-43798-grafana-directory-… (x_refsource_CONFIRM)
packetstormsecurity.com/files/165221/Grafana-8.3.0-Directory-Traversal-Arbitrar… (x_refsource_MISC)
[oss-security] 20211209 CVE-2021-43798 Grafana directory traversal (mailing-list, x_refsource_MLIST)
[oss-security] 20211210 CVE-2021-43813 and CVE-2021-43815 - Grafana directory traversal for some .md and .csv files (mailing-list, x_refsource_MLIST)
security.netapp.com/advisory/ntap-20211229-0004/ (x_refsource_CONFIRM)

Frequently asked questions

What is CVE-2021-43798?: CVE-2021-43798 is a high-severity vulnerability in Grafana, classified under Path Traversal. CVSS score: 7.5/10. Published 2021-12-07.
How severe is CVE-2021-43798?: High severity. CVSS v3 base score is 7.5 out of 10.
Is CVE-2021-43798 known to be exploited?: Yes. CVE-2021-43798 is listed in the CISA Known Exploited Vulnerabilities catalog (added 2025-10-09), indicating it is being actively exploited. 207 public proof-of-concept repositories are indexed.