Overview
The Grafana MCP server binds to 0.0.0.0:8000 by default, exposing an unauthenticated SSE interface on all network interfaces. Attackers on the network can create, update, and delete Grafana dashboards remotely without any credentials.
Who Is Affected
Reported by mcpsec.dev. Affects users running the Grafana MCP server with default configuration, which binds to all interfaces without authentication.
Where It Exists
The vulnerability is in the default configuration of the Grafana MCP server. It listens on 0.0.0.0:8000 (all interfaces) instead of 127.0.0.1 and does not require any authentication for SSE connections.
When It Was Found
Advisory published September 2, 2025 on mcpsec.dev.
How It Works
An attacker on the same network (LAN, Wi-Fi, VPN) connects to the Grafana MCP server's SSE endpoint on port 8000. Since there is no authentication, they immediately gain full access to all MCP tools, which include Grafana dashboard management operations -- creating, modifying, and deleting dashboards.
Impact
Unauthorized full control over Grafana dashboards from the network. Attackers can delete monitoring dashboards (hiding malicious activity), create dashboards that display misleading data (causing incorrect operational decisions), or exfiltrate data visible in existing dashboards. In corporate environments, this can disrupt monitoring and incident response.
Mitigation
Bind the Grafana MCP server to 127.0.0.1 instead of 0.0.0.0. Add authentication to the SSE endpoint. Use firewall rules to restrict access to the MCP server port. Run the MCP server in a network namespace or container with limited network access.