On Saturday, April 26, 2025, an unauthorized user leveraged a vulnerability in a Github workflow within a public Grafana Labs repository, resulting in the exposure of a small number of secrets.
Our detections immediately triggered alerts.
The Grafana team responded, mitigated the vulnerability, rotated keys and verified there was no access to production systems or data.
We'll follow up with more information on our blog in the next few days.
@tychotithonus, thank you for your thoughtful comment!
We've just published the blog post in a new post.
🚨 Update: On April 26, an unauthorized user exploited a vulnerability with a #GitHub workflow to gain unauthorized access to tokens, all of which have now been invalidated. At this time, our investigation has found no evidence of code modifications, unauthorized access to production systems, exposure of customer data, or access to personal information. https://grafana.com/blog/2025/04/27/grafana-security-update-no-customer-impact-from-github-workflow-vulnerability/?mdm=social&src=masto&camp=blog
bernd
Grafana Labs
Royce Williams