{"id":"CVE-2023-3128","details":"Grafana is validating Azure AD accounts based on the email claim. \n\nOn Azure AD, the profile email field is not unique and can be easily modified. \n\nThis leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app.","aliases":["BIT-grafana-2023-3128","GHSA-gxh2-6vvc-rrgp","GHSA-mpv3-g8m3-3fjc"],"modified":"2026-05-18T05:56:36.537595221Z","published":"2023-06-22T20:14:00.805Z","related":["ALSA-2023:4030","ALSA-2023:6972","CGA-3hvm-2h7f-4v6f","SUSE-SU-2023:2915-1","SUSE-SU-2023:2916-1","SUSE-SU-2023:2917-1","SUSE-SU-2023:3136-1","SUSE-SU-2024:0191-1","SUSE-SU-2024:0196-1","SUSE-SU-2025:0524-1","SUSE-SU-2025:0525-1","SUSE-SU-2025:0545-1","openSUSE-SU-2024:13018-1"],"database_specific":{"cna_assigner":"GRAFANA","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/3xxx/CVE-2023-3128.json","cwe_ids":["CWE-290"],"unresolved_ranges":[{"source":"AFFECTED_FIELD","extracted_events":[{"introduced":"9.5.0"},{"fixed":"9.5.4"},{"introduced":"9.4.0"},{"fixed":"9.4.13"},{"introduced":"9.3.0"},{"fixed":"9.3.16"},{"introduced":"9.2.0"},{"fixed":"9.2.20"},{"introduced":"6.7.0"},{"fixed":"8.5.27"},{"introduced":"9.5.0"},{"fixed":"9.5.4"},{"introduced":"9.4.0"},{"fixed":"9.4.13"},{"introduced":"9.3.0"},{"fixed":"9.3.16"},{"introduced":"9.2.0"},{"fixed":"9.2.20"},{"introduced":"6.7.0"},{"fixed":"8.5.27"}]}]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/3xxx/CVE-2023-3128.json"},{"type":"ADVISORY","url":"https://github.com/grafana/bugbounty/security/advisories/GHSA-gxh2-6vvc-rrgp"},{"type":"ADVISORY","url":"https://grafana.com/security/security-advisories/cve-2023-3128/"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-3128"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20230714-0004/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/grafana/grafana","events":[{"introduced":"c4656a885d92ccc5eaaf71747cd5c236c133a21f"},{"fixed":"5f9e0ace7eb4001f4106f912b0549936db87c68f"},{"introduced":"c7eea48209eb93819a0ab7593921fffba5b2d339"},{"fixed":"8d9c05a1601f5324cb465950728ce6155f5ab44b"},{"introduced":"e9cb2a313ecc5a8e3cfeca7d2b7df2878802096e"},{"fixed":"07b83b72be8497c2060810a6d242d180781459ce"},{"introduced":"dbb869b17343d20a73521ada8ff61d639abe23b7"},{"fixed":"e63c0e529c6fbb06a2efcb0d38f4fc22c0ebd4dd"}],"database_specific":{"source":"CPE_FIELD","extracted_events":[{"introduced":"6.7.0"},{"fixed":"8.5.27"},{"introduced":"9.2.0"},{"fixed":"9.2.20"},{"introduced":"9.3.0"},{"fixed":"9.3.16"},{"introduced":"9.4.0"},{"fixed":"9.4.13"}],"cpe":["cpe:2.3:a:grafana:grafana:*:*:*:*:-:*:*:*","cpe:2.3:a:grafana:grafana:*:*:*:*:enterprise:*:*:*"]}}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-3128.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"}]}