GrafanaGhost exposes a stealth AI exploit chain in Grafana that silently exfiltrates sensitive data using prompt injection, URL bypasses, and guardrail evasion.

Continue reading
A new research post from Noma Security describes a critical issue it calls GrafanaGhost, a chained exploit aimed at Grafana environments that use AI-driven features. The company says the technique can silently exfiltrate sensitive data by combining indirect prompt injection, weak URL validation, and model-guardrail bypasses, all without requiring the victim to click a phishing link or trigger an obvious security warning. The post is dated April 7, 2026 and is credited to Sasi Levi.
Grafana is not just a dashboard tool. In many organizations, it sits close to the most sensitive operational telemetry, including financial indicators, infrastructure health, customer-related data, and internal monitoring streams. That makes it a valuable place for an attacker to hunt for anything that can be turned into a quiet outbound request. For context, Grafana describes itself as an open source visualization and dashboarding platform used to explore metrics, logs, and traces.
According to Noma’s write-up, GrafanaGhost starts with stored, user-controlled content that later gets processed by the AI layer. From there, the attack chain unfolds in four stages: a crafted path or parameter is used to seed malicious context, the prompt is hidden as indirect instruction, the AI’s rendering logic is nudged into acknowledging an external URL, and the final request leaks data to an attacker-controlled server. The post frames this as a background exfiltration path rather than a classic interactive web attack.
The first bypass is technical, not theatrical. Noma says its researchers found a flaw in image URL validation where a protocol-relative value such as `//example.com/...` could slip past a naïve `startsWith('/')` check and still be interpreted by the browser as an external destination. That turns a supposedly “safe” path into a channel for outbound traffic.
The second bypass is behavioral. Noma says the model’s guardrails could be weakened by inserting the keyword INTENT into the injected prompt, which changed how the AI handled the malicious instruction. In the company’s telling, that was the final piece that allowed the chain to run automatically.
This is bigger than one dashboard product because it shows how modern attacks can blend application logic, browser parsing, and AI behavior into a single stealth path. In practical terms, the danger is not only data loss, but also the absence of the usual signals defenders rely on. Noma says there is no suspicious click trail, no blocked access screen, and no obvious blast of failed requests to alert a team early.
That is exactly why the issue sits at the intersection of AI security and classic web security. For teams mapping their own exposure, the right lens is closer to OWASP Top 10 thinking than to a narrow prompt-injection-only checklist. The lesson is that AI features inherit the full attack surface of the application around them, not just the model.
The research that technically discloses says more about the Grafana team responded quickly, validated the findings, and rolled out a fix. That part of the story matters because it shows the exploit was treated as a real security issue, not just a theoretical prompt-engineering trick.
The clearest takeaway is that AI-assisted observability tools need defense in depth that is actually layered, not assumed. Client-side filters, model guardrails, and trusted-looking paths can all fail in different ways. Security teams should therefore treat AI-generated or AI-processed dashboard content as untrusted, validate URL handling on the server side, and assume that indirect prompt injection is an application-layer threat, not just a model problem.
GrafanaGhost is a sharp reminder that the new attack surface is not just the prompt box. It is the entire chain around it: stored context, rendering behavior, browser parsing, and the policy assumptions stitched between them. In Noma’s framing, that is what makes the attack feel invisible while still being operationally serious.

148 malicious npm packages masquerading as student proxy and school Wi-Fi bypass tools. Rather than compromising developers during installation