CRE-2025-0043

Grafana fails to load plugin due to missing signatureMedium

Impact: 4/10

Mitigation: 2/10

CRE-2025-0043View on GitHub

GrafanaPluginValidationSignatureConfigurationSecurityKnown IssuePublic

Description

Grafana may reject custom or third-party plugins at runtime if they are not digitally signed. When plugin signature validation is enabled (default since Grafana 8+), unsigned plugins are blocked and logged as validation errors during startup or plugin loading.

Mitigation

- Set `plugins.allow_unsigned_plugins = ["kentik-description-panel"]` in `grafana.ini` to explicitly allow the plugin. - Request a signed version from the plugin vendor or author. - For dev environments, set `plugins.allow_loading_unsigned_plugins = true` (not recommended for production). - Upgrade Grafana plugins via `grafana-cli` to receive official signed builds if available.

References

• https://grafana.com/docs/grafana/latest/developers/plugins/sign-a-plugin/
• https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#plugins