A critical vulnerability in Grafana's artificial intelligence features has been patched after researchers demonstrated a method to trick the system into leaking sensitive user data. The flaw, dubbed GrafanaGhost by the security vendor Noma, highlights the growing risks associated with integrating AI into enterprise software that handles highly valuable information.

Key Facts about GrafanaGhost

• What it is: An indirect prompt injection attack on Grafana's AI assistant that could exfiltrate data from an organization's observability platform.
• Discovered by: Noma Security, an AI security research firm, which disclosed the vulnerability responsibly to Grafana.
• Attack vector: Attackers hide malicious instructions in a Web page they control. Through trickery with protocol-relative URLs and the 'INTENT' keyword, Grafana's AI is fooled into processing the instructions as benign and sending data to an attacker-controlled server.
• Trigger: The attack is initiated when a user interacts with a malicious image file that starts loading while the AI assistant is active.
• Patch status: Grafana has released a fix for the issue, which the company says requires significant user interaction to exploit.
• Dispute: Grafana contests Noma's characterization of the attack as 'zero-click,' arguing that it demands repeated user instructions. Noma maintains that no warning was shown to users and that the payload executes silently.

Understanding Prompt Injection in AI Systems

Prompt injection attacks are a class of security threats that exploit how large language models process input. An attacker crafts input that contains hidden or indirect commands that the AI model interprets as legitimate instructions. These commands can override the model's predefined guardrails, leading to unauthorized actions such as data exposure or manipulation. GrafanaGhost falls into the category of indirect prompt injection because the malicious payload is not directly input by the user but rather fetched from an external source—in this case, an attacker-controlled Web page.

Such attacks have become a major concern as companies embed AI assistants into their platforms. Unlike traditional software vulnerabilities that require code flaws, prompt injection leverages the inherent trust an AI model places in its input context. Because AI models are designed to be helpful and follow instructions, they can be weaponized when the instructions themselves are toxic. This makes prompt injection particularly insidious: the AI does not recognize the malicious intent and executes the command as if it were a normal query.

Grafana is a widely used observability platform that aggregates data from multiple sources, including databases, cloud services, and application logs. It helps organizations monitor performance, identify anomalies, and troubleshoot issues. The platform's AI assistant, which can generate summaries, answer queries, and provide insights based on the data stored, is a natural target for prompt injection because it has access to highly sensitive information such as financial records, customer data, and infrastructure details.

How GrafanaGhost Exploited the System

Noma Security's research team set out to find where a user could potentially interact with Grafana's AI components. They discovered that indirect prompts are processed when the AI ingests data from external sources, such as images embedded in logs or dashboards. The team found that image tags in Markdown content could be weaponized to inject malicious commands.

Grafana already had some protections against external image loading—such as domain validation checks. However, the researchers bypassed these protections by employing protocol-relative URLs, which leave out the protocol (HTTP or HTTPS) and rely on the browser to infer it. This trick allowed the malicious URL to circumvent domain validation. Additionally, by including the keyword 'INTENT' in the hidden prompt, the researchers disabled the AI model's guardrails, causing it to treat the malicious instructions as legitimate context.

The attack required the victim to access an attacker-crafted URL path. As soon as a malicious image file began to load, the AI assistant would ingest the prompt and execute the hidden instructions. This resulted in the exfiltration of sensitive data to an attacker-controlled server, all without the user's knowledge. Noma described this as a 'zero-click' exploit because the user did not need to actively approve the command.

Sasi Levi, security research lead at Noma, explained that the attacker does not necessarily need to trick a defender into clicking a conventional phishing link. Instead, the malicious payload can be stored in a location that Grafana's AI will retrieve later. “Once that payload is sitting in the data store, it waits and fires automatically when any user performs a normal interaction with their Grafana instance (like browsing entry logs). The user is the unwitting trigger, not the target of a phishing attempt. That's what makes it so stealthy,” Levi said.

Grafana's Response and the Dispute

Grafana Labs CISO Joe McManus issued a statement acknowledging the issue and confirming that a patch had been rolled out. The company stated that the vulnerability was in the image renderer component of Markdown and was quickly fixed. However, McManus strongly disagreed with Noma's characterization of the attack as 'zero-click' and argued that successful exploitation would require significant user interaction. According to McManus, the user would have to repeatedly instruct the AI assistant to follow the malicious instructions contained in logs, despite the AI assistant reportedly making the user aware of the malicious instructions.

“Any successful execution of this exploit would have required significant user interaction — specifically, the end user would have to repeatedly instruct our AI assistant to follow malicious instructions contained in logs, even after the AI assistant made the user aware of the malicious instructions,” McManus said. He also emphasized that there is no evidence of exploitation in the wild and that no data was leaked from Grafana Cloud.

Noma's Levi countered these claims in an email to Dark Reading. He maintained that the exploit requires fewer than two steps and that the AI never surfaced any warning to the user about the presence of malicious instructions. “There was no alert, no flag, no prompt asking the user to confirm. The model processed the indirect prompt injection autonomously, interpreting the log content as legitimate context and acting on it silently, without restriction, and without notifying the user that anything unusual was occurring,” Levi stated. He added that the user had no visibility into the background activity and no opportunity to intervene.

This disagreement underscores the challenges in defining the boundaries of user interaction in AI-powered systems. As AI assistants become more autonomous, the line between a 'click' and an indirect trigger may continue to blur, making it difficult for security teams to assess risks accurately.

Broader Implications for AI Security

The GrafanaGhost incident is not an isolated case. Prompt injection attacks have been documented in a variety of AI-powered tools, from chatbots to code assistants. In many cases, the underlying issue is the same: the AI model treats all input as equally trustworthy unless explicitly filtered. The rapid adoption of AI in enterprise software has outpaced the development of robust security measures to prevent such exploits.

Security experts recommend that companies deploying AI assistants implement strict input validation, sandboxing, and human approval workflows for sensitive actions. In Grafana's case, the fix involved hardening the image renderer and improving domain validation. However, experts argue that this is only a temporary measure; the fundamental architecture of AI models—which inherently trust context—needs to be redesigned to resist prompt injection.

Organizations should also educate users about the risks of interacting with untrusted data within AI platforms. Even though the user may not be directly targeted, the consequences of a successful attack can be severe, including data leaks, regulatory fines, and loss of customer trust. The GrafanaGhost vulnerability is a stark reminder that AI is not just a productivity enhancer but also a new attack surface that must be defended with the same rigor as traditional software components.

Given the widespread use of Grafana in financial services, healthcare, technology, and other critical sectors, the potential damage from such a vulnerability is enormous. The prompt injection technique demonstrated by Noma could easily be adapted to other AI-integrated observability tools, making this a systemic issue rather than a one-off bug.

The prompt injection technique used in GrafanaGhost is particularly effective because it bypasses standard security filters. By using protocol-relative URLs and the 'INTENT' keyword, the attackers disabled the very guardrails that were meant to protect the system. This highlights the need for dynamic security measures that can adapt to novel attack patterns.

On the positive side, the coordinated disclosure between Noma and Grafana was swift and professional. Noma praised Grafana for immediately jumping on the issue and rolling out a fix quickly. Such cooperation between security researchers and vendors is essential to minimizing exposure before threat actors can exploit vulnerabilities. The patched version of Grafana now includes safeguards that block the specific techniques used in GrafanaGhost.

However, the dispute between Noma and Grafana over the exploit's severity and the level of user interaction required may influence how the industry remembers this incident. If other researchers adopt Noma's more conservative definition of 'zero-click,' then Grafana may face reputational damage. Conversely, if Grafana's position holds sway, the vulnerability may be seen as a minor bug that was responsibly handled. The truth likely lies somewhere in between: the attack is highly stealthy and requires minimal user interaction, but it does require the user to first access a malicious URL—a barrier that is not insurmountable for determined attackers.

In the rapidly evolving landscape of AI cybersecurity, such disputes are becoming common. They reflect the difficulty of characterizing attacks that exploit emergent properties of AI models rather than traditional code flaws. As regulators begin to scrutinize AI safety, incidents like GrafanaGhost will serve as case studies in how to—and how not to—report and patch vulnerabilities.

The GrafanaGhost vulnerability was patched in April 2026. Users are strongly advised to update their Grafana instances to the latest version to protect against similar attacks. While no evidence of exploitation has emerged, the silent nature of the attack means that organizations should monitor for any signs of data exfiltration that may have occurred before the patch was applied.

In conclusion—though we avoid labeling this a formal conclusion—this incident reinforces that AI is a double-edged sword. Its power to process vast amounts of data makes it indispensable for observability, but that same power makes it a prime target for attackers. The ongoing battle between security researchers and AI developers will continue to shape the future of enterprise software.

Source: Dark Reading News