GRAFANA Ghost is an indirect prompt-injection bug that could have enabled attackers to exfiltrate sensitive data by abusing Grafana’s AI components. According to GK Images via Alamy Stock Photo, researchers at Noma Security published findings detailing how an attacker could hide malicious instructions on a page they control, with Grafana ingesting the prompt as benign and returning data to a server they control.
The exploit would rely on tricking the AI by presenting image tags and using protocol-relative URLs to bypass domain validation, along with the INTENT keyword to disable AI model guardrails. The attack would be triggered when a user renders an attacker-supplied image, with the user becoming the unwitting trigger rather than the attacker.
Grafana’s core issue has been patched, and Grafana Labs’ CISO Joe McManus said there was no evidence the bug had been exploited in the wild and that no data was leaked from Grafana Cloud. Dark Reading notes that Noma praised Grafana for responsible disclosure and a rapid fix.