Go and Grafana: why CVE-2021-43798 is still a useful warning
> TL;DR: CVE-2021-43798 showed that a widely deployed Go product could expose local files through path traversal. Here is why this case is still useful in...
A product flaw that says a lot about the Go ecosystem
When discussing Go, it often makes more sense to look at major products written in Go than at the language in isolation. Grafana is a strong example. In December 2021, Grafana published a security fix for CVE-2021-43798, a path traversal vulnerability that allowed unauthenticated access to local files on affected self-hosted instances.
Grafana documented the affected versions, the patched releases, and the fact that Grafana Cloud was not vulnerable.
Why this mattered
Because it affected a widely deployed observability platform, often connected to sensitive information, and sometimes exposed in environments where teams incorrectly assume the tool is purely internal.
The vulnerable path was tied to the plugin directory. Since multiple plugins ship by default, the attack surface was broadly applicable.
What this says about Go risk
Go has a reputation for simplicity and operational reliability. That is a real strength. But it does not protect products from path handling mistakes, authorization flaws, or rushed release paths.
A clean single binary is not proof of application security.
The lesson for teams
With Grafana, the lesson is not blame Go. The lesson is that an exposed observability service can become a source of file reads, secrets, and infrastructure configuration leakage.
That kind of flaw is especially dangerous because it often affects services rich in credentials, tokens, and environment details.
What to verify in 2026
Our view
For the Go ecosystem, CVE-2021-43798 remains a strong reminder: a technically elegant product can still contain a simple, severe, easily exploitable flaw. The risk does not come from Go syntax. It comes from the real surface of the deployed software.
Key Takeaways
Building HR, payroll, or recruiting software? CleanIssue performs security audits for HR SaaS in real-world conditions, no source code access needed. For a first read of your exposure, start with an external review of your application.
Related articles
Three adjacent analyses to keep exploring the same attack surface.
Go and Kubernetes: why CVE-2018-1002105 remains a reference point
CVE-2018-1002105 affected kube-apiserver and remains one of the most important flaws in the Kubernetes ecosystem. Here is why it still matters.
Argo CD and CVE-2025-55190: when a project token can expose credentials
CVE-2025-55190 showed that Argo CD project-scoped tokens could retrieve repository credentials. Here is why this case is critical.
Java and Log4Shell: why CVE-2021-44228 remains the reference flaw
Log4Shell showed how a single Java library could become a systemic risk. Here is why CVE-2021-44228 still remains the reference flaw for the Java ecosystem.
Sources
Related services
If this topic maps to a real risk in your stack, these are the most relevant CleanIssue audits.