GrafanaGhost Vulnerability Allows Silent Data Theft via AI Injection

Summary

Researchers at Noma Security discovered GrafanaGhost, a critical vulnerability in Grafana's AI components that exploits indirect prompt injection and protocol-relative URL bypasses to silently exfiltrate sensitive data without user awareness. The attack operates autonomously by hiding malicious instructions within data processed by AI systems and abusing legacy JavaScript URL handling to trick the platform into sending requests to attacker-controlled servers with sensitive business data as parameters. The vulnerability is particularly concerning because it bypasses traditional security controls and leaves no obvious traces for detection.

Full text

SecurityGrafanaGhost Vulnerability Allows Data Theft via AI Injection GrafanaGhost is a critical vulnerability in Grafana’s AI components that uses indirect prompt injection and protocol-relative URL bypasses to exfiltrate data. byDeeba AhmedApril 7, 20263 minute read Cybersecurity researchers at the firm Noma Security have identified a serious vulnerability named GrafanaGhost. This flaw affects Grafana, a popular software platform that many companies use as a central hub to monitor their financial metrics, infrastructure health, and private customer information. For context, Grafana acts like a central nervous system for an organisation’s most sensitive data, making this discovery particularly concerning for businesses. The vulnerability allows attackers to bypass security protections and secretly move private data from a company’s environment to an external server. And, this happens without the user ever knowing. Unlike traditional scams that require a person to click a suspicious link, GrafanaGhost operates autonomously. According to the Noma threat research team, the attack is triggered in the background as soon as the system processes a malicious instruction, leaving no obvious trace for security teams to follow. How the Ghost Attack Operates As per Norma’s investigation, the attack utilizes Indirect Prompt Injection; this involves hiding instructions within data that the software’s AI components process. The hackers trick the system into ignoring its own safety rules by using specific keywords like error, errorMsgs, and INTENT to confuse the AI model. The research further explains that the attack follows a specific, silent path where hackers first craft a specific web path using query parameters that look legitimate to the software but actually allow access to environments where the attacker has no rights. From there, they move to bypass the platform’s security. Grafana has a security function meant to stop it from loading images from untrusted external websites. However, Norma’s investigation revealed a flaw in the JavaScript code. By using a legacy developer trick called protocol-relative URLs (using the // format), the hackers can fool the software into thinking the link is a safe internal path. When the AI tries to display what it thinks is a normal image, it sends a request to the hacker’s server, and the sensitive business data is hooked onto that request as a URL parameter. https://noma.security/wp-content/uploads/Noma_Grafana_labels.mp4 Video demo by Noma Security A Hidden Threat It is worth noting that this attack is almost invisible. “The victim would have no idea anything was wrong,” researchers noted, because there is no “Access Denied” screen or broken code to alert the IT department. To a normal observer, the software appears to be functioning perfectly while the data is being sent to the hackers in real-time. This discovery follows Noma’s team’s previous work on other vulnerabilities like GeminiJack and DockerDash. They found that by combining several small weaknesses, they could achieve “automatic data exfiltration with zero user interaction.” This means that even when content security policies are in place, hackers can find ways around them by targeting how AI processes information, and AI security requires much more than standard client-side validation and content security policies. Industry Expert Perspectives In comments shared with Hackread.com, industry experts provided differing views on the impact of this discovery. Ram Varadarajan, CEO at Acalvio, noted that GrafanaGhost shows how AI integration creates a “massive security blind spot.” He explained that because this method bypasses traditional defences without needing credentials, “it allows attackers to silently exfiltrate sensitive operational telemetry… disguised as routine image renders.” To stay safe, he suggests teams “shift from monitoring what an agent is told to performing runtime behavioural monitoring of what it actually does.” On the other hand, Bradley Smith, SVP, Deputy CISO at BeyondTrust, suggested the findings might be “mostly hype” for well-protected companies. He noted that while the threat is real, its success depends on how a company has set up its network. “What’s less clear here is the practical exploitability against a hardened Grafana deployment with standard enterprise network controls,” Smith shared. Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. View Posts AICybersecurityGrafanaGrafanaGhostNoma SecurityVulnerability Leave a Reply Cancel reply View Comments (0) Related Posts Read More Security Data Breaches Leaks Privacy Ticket Resale Platform TicketToCash Left 200GB of User Data Exposed A misconfigured, non-password-protected database belonging to TicketToCash exposed data from 520,000 customers, including PII and partial financial details.… byDeeba Ahmed Read More Security Cyber Attacks Five Eyes Alliance Accuses Chinese APT40 for Hacking Government Networks Australia isn’t alone! The Five Eyes (US, UK, Canada, NZ) along with Japan and South Korea join forces… byWaqas Security Researcher Claims Your Wearable Fitness Trackers Can Be Hacked Nowadays wearable devices, especially fitness checking devices, are very much in vogue. However, security and technology experts are… byWaqas Read More Artificial Intelligence Security Mozilla 0Din Warns of ChatGPT Sandbox Flaws Enabling Python Execution Mozilla’s 0Din uncovers critical flaws in ChatGPT’s sandbox, allowing Python code execution and access to internal configurations. OpenAI… byWaqas

Entities