Grafana, a widely used open-source observability platform, has patched a critical security vulnerability in its AI capabilities that could have allowed attackers to exfiltrate sensitive user data. The flaw, discovered by security vendor Noma and dubbed GrafanaGhost, is an indirect prompt injection attack that threatens organizations relying on Grafana for monitoring and analytics.

Grafana is deployed by thousands of enterprises to track financial, telemetric, operational, infrastructure, and customer data. Because it sits at the heart of an organization's most valuable information assets, any compromise could have far-reaching consequences. The GrafanaGhost vulnerability exploited the way Grafana's AI assistant processes user-provided content, particularly from web pages and data sources.

How GrafanaGhost Works

The attack vector leveraged indirect prompt injection, a technique where malicious instructions are embedded in content that an AI system later retrieves and acts upon. In this case, an attacker could hide malicious instructions on a web page under their control. When a Grafana user accessed that page — or when the AI assistant ingested content from it — the AI would interpret those instructions as legitimate commands and execute them without the user's knowledge.

Noma researchers found that image tags within Grafana's Markdown renderer were a viable entry point. Although external images had security protections, the team bypassed them using protocol-relative URLs to circumvent domain validation and the special keyword "INTENT" to disable the AI model's guardrails. Once the malicious image tag began loading, the AI assistant would promptly follow the hidden instructions, which could include sending sensitive data from the current dashboard back to an attacker-controlled server.

Importantly, the attack did not require the user to click a suspicious link or explicitly approve any action. As Noma's security research lead Sasi Levi explained, the payload could be stored in a location — such as a log entry or a shared dashboard — that Grafana's AI components would later retrieve and process automatically. When any user performed a routine interaction like browsing logs, the AI would silently trigger the exfiltration.

The core technical issue enabling GrafanaGhost has been patched by Grafana Labs, which released a fix promptly after responsible disclosure. However, the two parties disagree on the severity and user interaction required.

Grafana's Response and the Dispute

Grafana Labs chief information security officer (CISO) Joe McManus acknowledged the issue, stating that Noma's research highlighted a problem with the image renderer in Grafana's Markdown component, which was quickly patched. However, he disputed Noma's characterization of the attack as "zero-click" and claimed that successful exploitation would have required significant user interaction.

"Any successful execution of this exploit would have required the end user to repeatedly instruct our AI assistant to follow malicious instructions contained in logs, even after the AI assistant made the user aware of the malicious instructions," McManus wrote. He also emphasized that there is no evidence of exploitation in the wild and that no data was leaked from Grafana Cloud.

Noma's Levi countered those statements. He told reporters that the exploit requires fewer than two steps and that the AI never surfaced any warning to the user about the presence of malicious instructions in the entry log. "There was no alert, no flag, no prompt asking the user to confirm. The model processed the indirect prompt injection autonomously, interpreting the log content as legitimate context and acting on it silently, without restriction, and without notifying the user that anything unusual was occurring," Levi said. "The user had no visibility into what was happening in the background and no opportunity to intervene."

Levi reaffirmed Noma's respect for Grafana's quick patch but insisted that their research accurately describes the mechanics. "We respect Grafana's quick response to the patch and their commitment to user security. But we can't let an inaccurate characterization of the exploit mechanics stand unchallenged," he added.

Broader Implications for AI Security

GrafanaGhost is a stark reminder of the growing threat landscape around large language models (LLMs) and AI assistants embedded in enterprise software. Indirect prompt injection attacks have become a major concern because they exploit the trust that models place in user-supplied content. Unlike direct prompt injection, where an attacker explicitly inputs malicious instructions, indirect injection hides them in data that the AI processes naturally — such as log files, web pages, or documents.

Such attacks are difficult to defend against because the AI model cannot easily distinguish between benign data and malicious instructions. Security researchers have demonstrated similar vulnerabilities in other AI-powered platforms, including chatbots, code assistants, and data analytics tools. The GrafanaGhost case highlights the need for robust input validation, content sanitization, and guardrails that prevent AI models from executing untrusted commands.

Enterprises using Grafana should ensure they have applied the latest patch and review their AI assistant configuration for any customizations that might lower security. Security teams should also monitor for unusual outbound data flows that could indicate exfiltration attempts.

The vulnerability was discovered by Noma Security, a vendor specializing in AI security. Their research focused on finding where users could potentially interact with Grafana's AI components, as any user-facing surface is an opportunity for prompt injection. After troubleshooting, they identified image tags as the weak link and devised the bypass techniques that made GrafanaGhost effective.

Grafana Labs has a history of responding quickly to security issues. This incident reinforces the importance of coordinated disclosure between security researchers and vendors. Both parties agree that the patch is effective, and users are urged to update their installations immediately.

As AI continues to integrate deeper into enterprise tools, the line between safe content and malicious prompts will only become blurriers. The GrafanaGhost episode serves as a case study for how even well-defended platforms can fall victim to indirect prompt injection, and it underscores the need for ongoing vigilance, regular patching, and transparent communication between researchers and product teams.

For now, the immediate threat is neutralized. But the underlying challenge — building AI systems that can safely handle untrusted content — remains an open problem that will occupy security professionals for years to come.

Source: Dark Reading News