CRE-2025-0043

Grafana fails to load plugin due to missing signatureMedium

Impact: 4/10

Mitigation: 2/10

CRE-2025-0043View on GitHub

GrafanaPluginValidationSignatureConfigurationSecurityKnown IssuePublic

Description

Grafana may reject custom or third-party plugins at runtime if they are not digitally signed. When plugin signature validation is enabled (default since Grafana 8+), unsigned plugins are blocked and logged as validation errors during startup or plugin loading.

Cause

• Grafana enforces plugin signing to prevent tampering and supply chain attacks.
• If a plugin such as `kentik-description-panel` lacks a valid signature or is locally built without signing, the validation step fails, and the plugin is not loaded.

Mitigation

• Set `plugins.allow_unsigned_plugins = ["kentik-description-panel"]` in `grafana.ini` to explicitly allow the plugin.
• Request a signed version from the plugin vendor or author.
• For dev environments, set `plugins.allow_loading_unsigned_plugins = true` (not recommended for production).
• Upgrade Grafana plugins via `grafana-cli` to receive official signed builds if available.

References

• https://grafana.com/docs/grafana/latest/developers/plugins/sign-a-plugin/
• https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#plugins