GrafanaGhost shows how agentic dashboards can silently leak data

At a glance

What this is: GrafanaGhost is a silent data-exfiltration technique in Grafana that uses indirect prompt injection and URL handling flaws to leak sensitive data through agentic features.

Why it matters: It matters because Grafana often holds high-value telemetry and business data, so a bypass here becomes an NHI governance and access-control problem, not just an application bug.

By the numbers:

• 38% of secrets incidents in collaboration and project management tools like Slack, Jira, and Confluence are classified as highly critical or urgent.

👉 Read Noma Security's analysis of GrafanaGhost and silent Grafana data exfiltration

Context

GrafanaGhost is a prompt-injection and data-exfiltration chain aimed at agentic features inside a monitoring platform. The security gap is not only in the model but in how the application decides which inputs, URLs, and rendered content are trustworthy before they touch external systems or sensitive telemetry.

For IAM and NHI teams, this is a governance problem because automated workflows can act with execution authority even when no human is involved. When a dashboard or AI-assisted interface can be induced to request external content, the identity boundary between internal data and external receivers becomes the control point that matters most.

That starting position is increasingly common in modern observability and AI-enabled platforms, where application logic, model output, and browser-side checks are all part of the attack surface. The article’s scenario is therefore representative of a broader pattern, not an isolated edge case.

Key questions

Q: How should security teams govern AI-enabled dashboards that can make outbound requests?

A: Treat every outbound request as an access decision, not just a rendering step. Require server-side approval for destinations, apply least privilege to the agent or service account making the call, and deny requests that carry tenant context unless the business case is explicit and logged.

Q: Why do indirect prompt injections matter for IAM and NHI governance?

A: They matter because they can turn a trusted workflow into an unauthorized actor without stealing a password. If a system can be persuaded to fetch, render, or transmit data on behalf of an attacker, the identity boundary has failed even when authentication never did.

Q: What is the difference between model guardrails and enforceable access controls?

A: Model guardrails try to stop unsafe behaviour by interpreting language, while access controls block the action itself through policy. Guardrails can reduce risk, but only deterministic controls can reliably prevent an agent from making an external request or revealing sensitive data.

Q: When should organisations treat dashboard agents as non-human identities?

A: Any time a dashboard or AI feature can execute actions, call external services, or transform data autonomously. At that point it is no longer just an interface. It is an identity-bearing workload that needs ownership, scoping, monitoring, and lifecycle control.

Technical breakdown

How indirect prompt injection turns trusted dashboard content into a control plane

Indirect prompt injection occurs when an attacker plants instructions in content the model or agent will later process as if it were normal context. In this case, the payload is not a prompt typed by the victim but stored or reflected input that the application later feeds into the AI layer. That makes the boundary between data and instruction ambiguous. Once the agent follows the hidden instruction, it can be steered toward external requests, unsafe rendering, or data reshaping without a traditional exploit payload. The real weakness is trust in unvalidated context.

Practical implication: Treat any user-controlled or persisted content as hostile until it is isolated from agent execution paths.

Why protocol-relative URLs break client-side image allowlists

Protocol-relative URLs, written with a leading double slash, inherit the current scheme but still point to an external host. A simplistic allowlist that checks only whether a string starts with slash can misclassify such URLs as local or relative. That creates a parsing gap between string validation and browser interpretation. Client-side checks are especially fragile because the browser, not the validator, ultimately resolves the destination. If the application relies on JavaScript-only URL filtering, an attacker can often find a representation that passes the check while still reaching a remote server.

Practical implication: Validate URLs with canonical parsing on the server side and block browser-resolved ambiguity before rendering agent output.

How model guardrails can fail when prompts are shaped to match expected intent

AI guardrails often rely on pattern recognition, policy scoring, or context cues rather than hard execution boundaries. The article shows a case where prompt wording influenced whether the model treated the instruction as legitimate. That is a known failure mode in agentic systems: the model decides whether a request feels safe, but it is not the right authority for data exfiltration controls. Once guardrails become a soft filter, an attacker only needs a phrasing variant that slips through. Security outcomes should not depend on the model’s interpretation of intent.

Practical implication: Use deterministic policy enforcement outside the model and reserve guardrails as a secondary layer, not the last line of defense.

Threat narrative

Attacker objective: The attacker’s objective is to move sensitive business telemetry and dashboard content out of Grafana without triggering a visible access-denied event or user interaction.

1. Entry begins with attacker-controlled content or path values that Grafana later stores and reprocesses as agent context.
2. Escalation occurs when indirect prompt injection and protocol-relative URLs bypass weak client-side allowlists and model guardrails.
3. Impact is silent exfiltration of sensitive dashboard data to an external server through an apparently normal image request.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

GrafanaGhost shows that the identity boundary in agentic dashboards is now the control boundary. When a system can be induced to act on stored context and then call out to an external host, the issue is not merely prompt safety. It is authorization over machine-initiated actions, which means NHI governance must cover rendering, retrieval, and outbound communication as one control plane. Practitioners should treat dashboard agents as execution-capable identities, not passive UI helpers.

Client-side allowlists are not a meaningful security boundary for AI-enabled applications. The article’s URL parsing bypass is a reminder that string checks and browser behavior are not the same thing. In NHI terms, that means the system can appear policy-compliant while still making an unauthorized external request. Security teams should assume that any validation performed only in the browser or only in the model can be bypassed by a crafted representation.

Indirect prompt injection is becoming an identity abuse pattern, not just an LLM content problem. The attacker does not need a login if they can persuade a trusted workflow to perform the network action on their behalf. That shifts the priority from prompt hygiene to execution scoping, outbound controls, and per-action authorization. The practitioner conclusion is simple: if an agent can fetch, render, or transmit data, it needs explicit identity governance.

Ephemeral trust is the new failure mode in agentic telemetry systems. The platform may trust a prompt, a path, or a render decision for only a moment, but that moment is enough to leak sensitive data. This creates what we would call ephemeral credential trust debt: short-lived, assumed trust that never gets formally governed. Teams should reduce that debt by binding every agent action to policy, context, and approval state.

From our research:

• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes, and as quickly as 9 minutes in some cases, according to LLMjacking: How Attackers Hijack AI Using Compromised NHIs.
• DeepSeek accidentally embedded over 11,000 secrets in its training data and left a database exposed online, revealing more than one million sensitive records including chat histories, backend credentials, and API keys.
• For deeper context on secret exposure patterns, see The State of Secrets Sprawl 2025 for how leaked credentials and embedded secrets continue to widen the attack surface.

What this signals

GrafanaGhost reinforces a broader identity lesson for AI-enabled platforms: the most dangerous control failures now sit between context handling and outbound action. If the platform can be induced to fetch or render external content, IAM teams need to treat that action like privileged access, not UI behaviour. For governance teams, the practical next step is to map every agent-initiated network call to an accountable identity and policy decision.

Identity blast radius is the right lens for this class of risk. A dashboard that can reach internal telemetry and then call out to an attacker-controlled host creates a high-speed data path with very little human visibility. That matters because short-lived trust can still cause durable exposure. Security programmes should pair agent scoping with the NIST Cybersecurity Framework 2.0 and the NIST AI Risk Management Framework where autonomous decisioning is present.

With 4.6% of all public GitHub repositories containing at least one hardcoded secret, the surrounding ecosystem shows that data exposure is not a corner-case problem but a structural one. The governance response should extend beyond secrets rotation into runtime controls, validation of render paths, and continuous review of AI-assisted workflows. Teams that only harden static credentials will miss the execution layer where this attack lives.

For practitioners

• Audit outbound request paths in AI-enabled dashboards Inventory every place the platform can generate external requests, including image rendering, link previewing, and embedded content fetches. Block unknown destinations at the network layer and require explicit server-side approval for any external call that carries user or tenant context.
• Replace browser-only URL checks with server-side canonical validation Parse and normalize URLs before any render or fetch decision is made. Deny protocol-relative forms, mixed-scheme edge cases, and host matching that depends on string prefixes rather than resolved destinations.
• Separate model instructions from stored application data Keep user-controlled content outside the prompt or agent context unless it is sanitized, tagged, and policy-scoped. This is especially important for logs, comments, dashboard annotations, and any field that can be re-read by an AI feature.
• Bind agent actions to explicit authorization policy Require policy checks for each sensitive action an agent can take, including retrieval, transformation, and transmission. Map those checks to least privilege and reference the NHI Lifecycle Management Guide for provisioning, rotation, and offboarding controls.
• Test prompt-injection and rendering bypasses together Red-team the full chain, not only the model. Validate whether hidden instructions, malformed paths, and alternative URL forms can jointly trigger exfiltration, then document compensating controls in the Ultimate Guide to NHIs , Key Challenges and Risks.

Key takeaways

• AI-enabled dashboards can become exfiltration tools when agent actions are not separately governed from the user interface.
• Client-side validation and model guardrails are useful friction, but neither substitutes for server-side policy enforcement and outbound request control.
• Practitioners should treat prompt injection, URL parsing, and non-human identity governance as one problem space, not three separate ones.

Key terms

• Indirect Prompt Injection: A technique where malicious instructions are hidden inside content that an AI system later reads as context. The system follows the attacker’s instructions because it treats the content as trusted input, which can redirect output, trigger actions, or expose data without a classic login compromise.
• Protocol-Relative URL: A URL form that begins with double slashes and inherits the current scheme from the page. It can look like a local or harmless path to weak validators while the browser resolves it to an external destination, which makes it a common parsing bypass in web security.
• Agentic Dashboard: A dashboard or interface with AI features that can take actions, not just display information. Once it can fetch, render, transform, or transmit data autonomously, it behaves like a non-human identity and needs explicit authorization, monitoring, and lifecycle governance.
• Identity Blast Radius: The potential scope of damage when a non-human identity or agent is abused. It reflects how much data, how many systems, and how many downstream actions become reachable if one workflow, token, or service account is manipulated or compromised.

Deepen your knowledge

GrafanaGhost and indirect prompt injection are covered in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building controls for agentic dashboards or telemetry systems, it is worth exploring.

This post draws on content published by Noma Security: GrafanaGhost and silent data exfiltration in Grafana. Read the original.