CRE-2025-0043

Grafana fails to load plugin due to missing signatureMedium

Impact: 4/10

Mitigation: 2/10

CRE-2025-0043View on GitHub

GrafanaPluginValidationSignatureConfigurationSecurityKnown IssuePublic

Description

Grafana may reject custom or third-party plugins at runtime if they are not digitally signed. When plugin signature validation is enabled (default since Grafana 8+), unsigned plugins are blocked and logged as validation errors during startup or plugin loading.\n

Mitigation

- Set `plugins.allow_unsigned_plugins = [\"kentik-description-panel\"]` in `grafana.ini` to explicitly allow the plugin.\n- Request a signed version from the plugin vendor or author.\n- For dev environments, set `plugins.allow_loading_unsigned_plugins = true` (not recommended for production).\n- Upgrade Grafana plugins via `grafana-cli` to receive official signed builds if available.\n

References

• https://grafana.com/docs/grafana/latest/developers/plugins/sign-a-plugin/
• https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#plugins