Grafana: admin/admin Still Works in 2026

admin/admin and the skippable password change

Grafana ships with default credentials: username admin, password admin. On first login, Grafana prompts you to change the password. The prompt includes a "Skip" button. Clicking "Skip" leaves the default password in place and drops you into a fully authenticated admin session.

This is not a theoretical concern. Shodan shows over 300,000 Grafana instances exposed to the internet. In our penetration testing engagements, roughly one in five internet-facing Grafana instances still accepts admin:admin. On internal networks, the ratio is worse because internal services receive less security scrutiny.

/api/datasources: connection strings for everything

The first stop after logging in as admin is GET /api/datasources. This endpoint returns every configured data source with full connection details:

{
  "name": "Production PostgreSQL",
  "type": "postgres",
  "url": "prod-db.internal.company.com:5432",
  "database": "app_production",
  "user": "grafana_reader",
  "secureJsonData": {
    "password": "Gr4f@na_R3ad3r_2024!"
  }
}

Typical Grafana installations connect to 5 to 15 data sources including PostgreSQL, MySQL, Elasticsearch, Prometheus, InfluxDB, Loki, and cloud monitoring APIs. Each data source entry includes the hostname, port, database name, username, and password.

These credentials usually have read access to production databases. Grafana needs to query data for dashboards, so the service accounts have SELECT privileges across the tables being visualized. That is often enough to dump customer data, financial records, and internal metrics.

/api/admin/settings: the full configuration

The /api/admin/settings endpoint returns Grafana's entire runtime configuration, including values that are normally stored in environment variables or the grafana.ini config file:

• SMTP credentials: server, port, username, password for the email gateway
• LDAP bind credentials: the DN and password used to query Active Directory
• OAuth client secrets: for Google, GitHub, Azure AD, and Okta integrations
• Secret key: used to encrypt data source passwords and other sensitive values
• Database connection string: for Grafana's own backend database (SQLite, MySQL, or PostgreSQL)

The LDAP bind credentials are particularly valuable. They authenticate to Active Directory with enough privileges to enumerate all users, groups, and organizational units. On many networks, the LDAP bind account has more access than necessary, sometimes including the ability to reset passwords.

/api/org/users: user enumeration

The /api/org/users endpoint lists every Grafana user in the current organization, including their email addresses, roles (Admin, Editor, Viewer), and last login timestamps. Combined with the LDAP credentials from /api/admin/settings, this gives you a complete picture of who has access and how to target them.

Provisioning files on disk

Grafana supports file-based provisioning for data sources and dashboards. These YAML files live in /etc/grafana/provisioning/ and contain the same connection credentials visible through the API, but sometimes include additional data sources or credentials that are configured through provisioning but not yet active in the UI.

If you have filesystem access (through a separate vulnerability or via the Grafana server itself), these files are readable by the Grafana process user:

/etc/grafana/provisioning/datasources/
/etc/grafana/provisioning/dashboards/
/etc/grafana/provisioning/notifiers/

The attack chain

1. Login with admin:admin on port 3000 (default Grafana port)
2. Harvest data source credentials from /api/datasources
3. Harvest SMTP, LDAP, and OAuth credentials from /api/admin/settings
4. Enumerate users from /api/org/users
5. Connect directly to production databases using the harvested credentials
6. Authenticate to Active Directory using the LDAP bind credentials
7. Pivot to email infrastructure using the SMTP credentials

Each credential from Grafana opens a new attack path. The LDAP bind password gives you Active Directory enumeration. The database credentials give you production data. The SMTP credentials let you send phishing emails from a legitimate internal mail server. A single Grafana instance with default credentials can unlock an entire corporate network.

Defense

• Change the admin password during initial setup. Do not skip the prompt.
• Disable the default admin account and use SSO/OIDC for authentication
• Set GF_SECURITY_ADMIN_PASSWORD in environment variables for automated deployments
• Restrict API access by configuring Grafana behind a reverse proxy with IP allowlisting
• Use read-only database accounts for Grafana data sources with the minimum required privileges
• Enable Grafana's built-in audit logging to track API access
• Never expose Grafana directly to the internet without authentication enforcement at the network level
• Rotate all data source credentials if there is any suspicion that the admin account was accessed by an unauthorized party