I Found 10 Critical Vulnerabilities in My Grafana Setup

Описание: Your Grafana monitoring stack passed "docker compose up" -- but did it pass a security audit?

⚠️ EDUCATIONAL CONTENT: All testing performed against my own isolated homelab. Do not test against systems you don't own or aren't authorized to test.

We ran a full vulnerability assessment against a Grafana/Prometheus/cAdvisor/Blackbox monitoring stack deployed the way most people deploy it: default configs, no TLS, no hardening. We found 10 confirmed vulnerabilities and demonstrated 20 exploitation paths -- all from a jump box with nothing but curl.

What we found:
Prometheus API wide open: 1,096 metrics, full container inventory, kernel version -- zero auth
cAdvisor leaking host hardware, disk UUIDs, and every running container
Blackbox Exporter as an SSRF proxy: cross-VLAN service discovery through port 9115
OAuth secrets in plaintext across .env, container env, AND docker inspect
Disabled users keeping full access via session cookies -- then creating persistent backdoors
Admin passwords brute-forced in 5 guesses with zero rate limiting
All traffic in cleartext HTTP -- credentials decoded from base64 in one command

Every vulnerability gets two steps: PROVE IT (demonstrate it exists) and BREAK IT (show what an attacker does with it). No theory. No slides. Just terminals and curl.

Compliance frameworks violated: NIST 800-53, SOC 2, CIS Controls v8, PCI-DSS v4.0, CIS Docker Benchmark, OWASP ASVS.

Part 2 (hardening) coming soon -- 6 phases, every vuln gets fixed and verified.

WALKTHROUGH BLOG with all 98 commands:
https://oobskulden.com/2026/02/15-vul...

CHAPTERS:
00:00 Intro
00:54 Initial Check
02:52 VULN-01: Grafana Default Credentials
04:38 BRK-01: Grafana Default Credentials
05:58 VULN-02: Prometheus Unauthenticated -- PROVE IT
08:49 BRK-02: Prometheus Unauthenticated -- BREAK IT
10:43 VULN-03: cAdvisor Exposed -- PROVE IT
12:16 BRK-03: cAdvisor Exposed -- BREAK IT
14:24 VULN-04: Blackbox SSRF -- PROVE IT
16:14 BRK-04: Blackbox SSRF -- BREAK IT
18:55 VULN-05: OAuth Secret Exposure -- PROVE IT
22:14 BRK-05: OAuth Secret Exposure -- BREAK IT
26:50 VULN-06: Session Persistence -- PROVE IT
32:55 BRK-06: Session Persistence -- BREAK IT
38:59 VULN-07: No Rate Limiting -- PROVE IT
40:32 BRK-07: No Rate Limiting -- BREAK IT
43:14 VULN-09: Container Hardening -- PROVE IT
45:04 BRK-09: Container Hardening -- BREAK IT
46:07 VULN-10: No TLS -- PROVE IT
48:28 BRK-10: No TLS -- BREAK IT
50:20 In Summary
51:30 DISCLAIMER

This content is produced in my personal capacity and does not represent the views, tools, or practices of my employer.

Published by Oob Skulden(TM)
Stay Paranoid.