GrafanaGhost: The AI That Leaked Everything Without Being Hacked

Security firm Noma Security disclosed a critical vulnerability dubbed 'GrafanaGhost' that allowed attackers to silently exfiltrate sensitive data—including financial metrics and customer records—from Grafana environments without stolen credentials or triggered alerts. The attack exploited Grafana's own AI assistant through a technique called indirect prompt injection. Attackers crafted URLs with malicious query parameters that landed in Grafana's entry logs. When the AI assistant processed these logs as part of its normal function, it encountered and executed hidden instructions, interpreting them as authorized due to a specific keyword that bypassed built-in guardrails.

This vulnerability bypassed every traditional security layer: SIEM rules, DLP tools, and endpoint monitoring all failed to detect the exfiltration because the AI's request appeared as normal behavior. Grafana quickly patched the specific flaw, but Noma Security emphasizes this is part of a broader pattern seen in other disclosures like ForcedLeak and GeminiJack. The core issue is that AI features are being integrated into platforms not designed with AI-specific threat models, creating new exfiltration channels that circumvent perimeter defenses.

The incident underscores a fundamental security limitation: model-level guardrails (like system prompts and safety filters) are configuration settings, not reliable security controls. They can be overridden or bypassed, as demonstrated by the single keyword that neutralized Grafana's defenses. This revelation challenges the security community's approach to AI integration, highlighting the urgent need for data-layer controls that operate independently of the AI model's behavior.