Back to blog
GoGrafanaCVE

Go and Grafana: why CVE-2021-43798 is still a useful warning

Published on 2026-04-116 min readCleanIssue

> TL;DR: CVE-2021-43798 showed that a widely deployed Go product could expose local files through path traversal. Here is why this case is still useful in...

A product flaw that says a lot about the Go ecosystem

When discussing Go, it often makes more sense to look at major products written in Go than at the language in isolation. Grafana is a strong example. In December 2021, Grafana published a security fix for CVE-2021-43798, a path traversal vulnerability that allowed unauthenticated access to local files on affected self-hosted instances.

Grafana documented the affected versions, the patched releases, and the fact that Grafana Cloud was not vulnerable.

Why this mattered

Because it affected a widely deployed observability platform, often connected to sensitive information, and sometimes exposed in environments where teams incorrectly assume the tool is purely internal.

The vulnerable path was tied to the plugin directory. Since multiple plugins ship by default, the attack surface was broadly applicable.

What this says about Go risk

Go has a reputation for simplicity and operational reliability. That is a real strength. But it does not protect products from path handling mistakes, authorization flaws, or rushed release paths.

A clean single binary is not proof of application security.

The lesson for teams

With Grafana, the lesson is not blame Go. The lesson is that an exposed observability service can become a source of file reads, secrets, and infrastructure configuration leakage.

That kind of flaw is especially dangerous because it often affects services rich in credentials, tokens, and environment details.

What to verify in 2026

  • self-hosted Grafana versions;
  • internet exposure of dashboards and consoles;
  • sensitive files available on the host;
  • patching habits for observability tools;
  • the assumption that internal means non-critical.
  • Our view

    For the Go ecosystem, CVE-2021-43798 remains a strong reminder: a technically elegant product can still contain a simple, severe, easily exploitable flaw. The risk does not come from Go syntax. It comes from the real surface of the deployed software.

    Key Takeaways

  • Identify and test your exposed attack surfaces before a third party does.
  • Client-side security controls never replace server-side validation.
  • Regular audits are more effective than one-time checks — vulnerabilities appear with every deployment.
  • Building HR, payroll, or recruiting software? CleanIssue performs security audits for HR SaaS in real-world conditions, no source code access needed. For a first read of your exposure, start with an external review of your application.

    Need an external review of your HR SaaS?

    Share your product, stack, and client context. We will come back with the right review scope.

    Discuss your audit