diff --git a/docker/grafana/Dockerfile b/docker/grafana/Dockerfile
index 81f4cc0fd1..78a24b637d 100644
--- a/docker/grafana/Dockerfile
+++ b/docker/grafana/Dockerfile
@@ -13,7 +13,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-FROM docker.io/grafana/grafana:7.4.1-ubuntu
+FROM docker.io/grafana/grafana:7.4.2-ubuntu
 
 LABEL maintainer="infra-root@openstack.org"
 
diff --git a/playbooks/roles/grafana/templates/grafana.vhost.j2 b/playbooks/roles/grafana/templates/grafana.vhost.j2
index afddd47487..07a5caf3ce 100644
--- a/playbooks/roles/grafana/templates/grafana.vhost.j2
+++ b/playbooks/roles/grafana/templates/grafana.vhost.j2
@@ -34,6 +34,13 @@
   SSLCertificateKeyFile /etc/letsencrypt-certs/{{ inventory_hostname }}/{{ inventory_hostname }}.key
   SSLCertificateChainFile /etc/letsencrypt-certs/{{ inventory_hostname }}/ca.cer
 
+  # NOTE(ianw) 2021-02-19
+  # This was for a security issue fixed in 7.4.2
+  # where anonymous users could cause a write to disk, fixed
+  # with
+  #  https://github.com/grafana/grafana/pull/31263/
+  # We leave it because we don't use the API, but if we need
+  # it, we can remove this.
   RewriteEngine on
   RewriteRule "^/api/snapshots(.*?)$" "-" [F]