A newly identified critical vulnerability dubbed GrafanaGhost has been used by attackers to silently extract sensitive enterprise data from Grafana environments.
According to researchers at Noma’s Threat Research Team, the exploit bypasses client-side protections and AI guardrails, enabling unauthorized data transfers to external servers without requiring user interaction or login credentials.
Grafana, widely used for monitoring and analytics, often stores highly sensitive information including financial metrics, infrastructure health data and customer records. This makes it an attractive target for attackers seeking valuable operational insights.
Chaining Multiple Weaknesses
GrafanaGhost operates by chaining together multiple weaknesses in both application logic and AI behavior.
Instead of relying on phishing or stolen credentials, attackers manipulate how Grafana processes inputs.
The attack unfolds in several stages:
-
Foreign paths are crafted to mimic legitimate data requests
-
Indirect prompt injection tricks the AI into processing hidden instructions
-
Protocol-relative URLs bypass domain validation checks
-
Sensitive data is attached to outbound requests and sent to attacker-controlled servers
By exploiting these mechanisms, attackers can trigger automatic data exfiltration when the system attempts to render external content. The process happens entirely in the background, leaving no obvious trace for users or administrators.
AI Guardrails Bypassed With Simple Techniques
Noma found that Grafana’s built-in safeguards could be bypassed using relatively simple methods. A flaw in URL validation allowed external domains to be disguised as internal resources.
Meanwhile, the inclusion of specific keywords such as “INTENT” in injected prompts caused the AI model to ignore its own safety restrictions.
“GrafanaGhost perfectly illustrates how AI integration creates a massive security blind spot by using system components exactly as designed, but with instructions the model cannot verify as malicious,” Ram Varadarajan, CEO at Acalvio, commented.
“Because indirect prompt injection bypasses traditional defenses, requiring no credentials or user interaction, it allows attackers to silently exfiltrate sensitive operational telemetry, such as financial metrics and infrastructure state, disguised as routine image renders.”
Read more on AI security vulnerabilities: Security Researchers Sound the Alarm on Vulnerabilities in AI-Generated Code
The findings highlight a broader shift in cybersecurity risks. Rather than targeting traditional software flaws, attackers are increasingly focusing on AI-driven systems and indirect prompt injection techniques.
Invisible Threat to Organizations
One of the most concerning aspects of GrafanaGhost is its stealth, Noma warned. There are no phishing emails, suspicious links or obvious system alerts. From a user’s perspective, normal dashboard activity continues uninterrupted.
“The underlying attack pattern, indirect prompt injection leading to data exfiltration via rendered content, is a well-documented and legitimate attack type,” explained Bradley Smith, SVP, Deputy CISO at BeyondTrust.
For security teams, this creates a significant challenge. Data appears to flow as expected, while in reality, sensitive information is being siphoned off in real time.
“To defend against this, security teams must move beyond application-layer toggles to network-level URL blocking and treat prompt injection as a primary threat rather than an edge case,” Varadarajan said.
“The only way to secure AI-driven tooling is to shift from monitoring what an agent is told to performing runtime behavioral monitoring of what it actually does.”
