Internal security audit identified a race condition in the Grafana codebase,
which allowed an unauthenticated user to query an arbitrary endpoint in Grafana.
A race condition in the
HTTP context creation could make a HTTP request being assigned
the authentication/authorization middlewares of another call. Under heavy load
it is possible that a call protected by a privileged middleware receives instead
the middleware of a public query. As a result, an unauthenticated user can
successfully query protected endpoints.
The CVSS score for this vulnerability is 9.8 Critical