Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
136 vulnerabilities by Grafana
CVE-2026-42127 (GCVE-0-2026-42127)
Vulnerability from cvelistv5 – Published: 2026-06-22 16:31 – Updated: 2026-06-22 16:31
VLAI
Title
Grafana pre-auth DoS through arbitrarily large input to public dashboard query handler
Summary
The public dashboard query endpoint does not limit request body size before processing, allowing unauthenticated attackers to trigger excessive memory allocation by sending arbitrarily large JSON payloads. This can lead to denial of service through memory exhaustion. No valid dashboard access token or authentication is required to exploit this vulnerability.
Severity
7.5 (High)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://grafana.com/security/security-advisories/… | vendor-advisory |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Grafana | Grafana Enterprise |
Affected:
0 , ≤ 11.6.14
(semver)
Affected: 0 , ≤ 12.2.8 (semver) Affected: 0 , ≤ 12.3.6 (semver) Affected: 0 , ≤ 12.4.3 (semver) Affected: 0 , ≤ 13.0.1 (semver) |
|
| Grafana | Grafana OSS |
Affected:
11.6.0 , ≤ 11.6.14
(semver)
Affected: 12.2.0 , ≤ 12.2.8 (semver) Affected: 12.3.0 , ≤ 12.3.6 (semver) Affected: 12.4.0 , ≤ 12.4.3 (semver) Affected: 13.0.0 , ≤ 13.0.1 (semver) |
Date Public
2026-05-24 15:38
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Grafana Enterprise",
"vendor": "Grafana",
"versions": [
{
"lessThanOrEqual": "11.6.14",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "12.2.8",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "12.3.6",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "12.4.3",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "13.0.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Grafana OSS",
"vendor": "Grafana",
"versions": [
{
"lessThanOrEqual": "11.6.14",
"status": "affected",
"version": "11.6.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "12.2.8",
"status": "affected",
"version": "12.2.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "12.3.6",
"status": "affected",
"version": "12.3.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "12.4.3",
"status": "affected",
"version": "12.4.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "13.0.1",
"status": "affected",
"version": "13.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Charlie Lewis"
}
],
"datePublic": "2026-05-24T15:38:07.115Z",
"descriptions": [
{
"lang": "en",
"value": "The public dashboard query endpoint does not limit request body size before processing, allowing unauthenticated attackers to trigger excessive memory allocation by sending arbitrarily large JSON payloads. This can lead to denial of service through memory exhaustion. No valid dashboard access token or authentication is required to exploit this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T16:31:28.096Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2026-42127"
}
],
"source": {
"discovery": "EXTERNAL_REPORT"
},
"title": "Grafana pre-auth DoS through arbitrarily large input to public dashboard query handler",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2026-42127",
"datePublished": "2026-06-22T16:31:28.096Z",
"dateReserved": "2026-04-24T15:38:08.066Z",
"dateUpdated": "2026-06-22T16:31:28.096Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-28381 (GCVE-0-2026-28381)
Vulnerability from cvelistv5 – Published: 2026-06-22 13:20 – Updated: 2026-06-22 15:43
VLAI
Title
Local File Read/Write to Potential Privilege Escalation via Snowflake GET/PUT
Summary
The Snowflake datasource allows for GET/PUT commands, which can allow any user with access to run queries against the data source to read/write files between the local grafana server and the connected Snowflake host.
Severity
9.6 (Critical)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://grafana.com/security/security-advisories/… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Grafana | Snowflake Datasource |
Affected:
1.14.7 , ≤ 1.14.12
(semver)
|
Date Public
2026-05-15 17:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-28381",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-22T15:43:02.758856Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T15:43:15.085Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Snowflake Datasource",
"vendor": "Grafana",
"versions": [
{
"lessThanOrEqual": "1.14.12",
"status": "affected",
"version": "1.14.7",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "stargravy (Researcher)"
}
],
"datePublic": "2026-05-15T17:00:39.039Z",
"descriptions": [
{
"lang": "en",
"value": "The Snowflake datasource allows for GET/PUT commands, which can allow any user with access to run queries against the data source to read/write files between the local grafana server and the connected Snowflake host."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T13:20:29.440Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2026-28381"
}
],
"source": {
"discovery": "BUG_BOUNTY"
},
"title": "Local File Read/Write to Potential Privilege Escalation via Snowflake GET/PUT",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2026-28381",
"datePublished": "2026-06-22T13:20:29.440Z",
"dateReserved": "2026-02-27T07:16:12.218Z",
"dateUpdated": "2026-06-22T15:43:15.085Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9029 (GCVE-0-2026-9029)
Vulnerability from cvelistv5 – Published: 2026-06-22 13:18 – Updated: 2026-06-22 15:43
VLAI
Title
Stored XSS via Geomap Panel Template Variable Attribution Injection
Summary
The geomap panel's XYZ tile layer has a sanitize-then-interpolate ordering bug. sanitizeTextPanelContent() runs on the raw template string before getTemplateSrv().replace() substitutes the variable value, which uses the glob format with no HTML escaping. The result is passed to OpenLayers via element.innerHTML. An Editor can set a textbox variable's default value to an XSS payload that executes for every user who opens the dashboard. This is a bypass of the CVE-2023-0507 fix
Severity
7.3 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://grafana.com/security/security-advisories/… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Grafana | Grafana OSS |
Affected:
12.4.0
(semver)
|
Date Public
2026-05-22 14:46
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9029",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-22T15:43:30.408282Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T15:43:43.754Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"OnPrem"
],
"product": "Grafana OSS",
"vendor": "Grafana",
"versions": [
{
"status": "affected",
"version": "12.4.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "trailerb18 (Researcher)"
}
],
"datePublic": "2026-05-22T14:46:29.694Z",
"descriptions": [
{
"lang": "en",
"value": "The geomap panel\u0027s XYZ tile layer has a sanitize-then-interpolate ordering bug. sanitizeTextPanelContent() runs on the raw template string before getTemplateSrv().replace() substitutes the variable value, which uses the glob format with no HTML escaping. The result is passed to OpenLayers via element.innerHTML. An Editor can set a textbox variable\u0027s default value to an XSS payload that executes for every user who opens the dashboard. This is a bypass of the CVE-2023-0507 fix"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T13:18:40.770Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2026-9029"
}
],
"source": {
"discovery": "BUG_BOUNTY"
},
"title": "Stored XSS via Geomap Panel Template Variable Attribution Injection",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2026-9029",
"datePublished": "2026-06-22T13:18:40.770Z",
"dateReserved": "2026-05-19T15:28:45.662Z",
"dateUpdated": "2026-06-22T15:43:43.754Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-10601 (GCVE-0-2026-10601)
Vulnerability from cvelistv5 – Published: 2026-06-22 13:18 – Updated: 2026-06-22 15:44
VLAI
Title
Path Traversal in Tempo and Loki Data Source Plugins — Credential Leakage and Admin Endpoint Access
Summary
The Tempo and Loki datasource plugins construct backend HTTP requests by interpolating user-supplied input into URL paths without sanitization, enabling path traversal. A Viewer-role user can: (1) capture admin-configured datasource credentials (secureJsonData custom headers) by traversing to an attacker-controlled endpoint, (2) invoke state-changing admin endpoints on Tempo (e.g. /flush, /shutdown), and (3) exfiltrate internal service data via Loki's CallResource which returns full HTTP response bodies.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://grafana.com/security/security-advisories/… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Grafana | Grafana OSS |
Affected:
11.6.0
(semver)
|
Date Public
2026-06-06 13:55
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-10601",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-22T15:44:03.006985Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T15:44:16.125Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Cloud",
"OnPrem"
],
"product": "Grafana OSS",
"vendor": "Grafana",
"versions": [
{
"status": "affected",
"version": "11.6.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "homb (Researcher)"
}
],
"datePublic": "2026-06-06T13:55:46.009Z",
"descriptions": [
{
"lang": "en",
"value": "The Tempo and Loki datasource plugins construct backend HTTP requests by interpolating user-supplied input into URL paths without sanitization, enabling path traversal. A Viewer-role user can: (1) capture admin-configured datasource credentials (secureJsonData custom headers) by traversing to an attacker-controlled endpoint, (2) invoke state-changing admin endpoints on Tempo (e.g. /flush, /shutdown), and (3) exfiltrate internal service data via Loki\u0027s CallResource which returns full HTTP response bodies."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T13:18:31.531Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2026-10601"
}
],
"source": {
"discovery": "BUG_BOUNTY"
},
"title": "Path Traversal in Tempo and Loki Data Source Plugins \u2014 Credential Leakage and Admin Endpoint Access",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2026-10601",
"datePublished": "2026-06-22T13:18:31.531Z",
"dateReserved": "2026-06-02T09:57:26.570Z",
"dateUpdated": "2026-06-22T15:44:16.125Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42129 (GCVE-0-2026-42129)
Vulnerability from cvelistv5 – Published: 2026-06-22 13:18 – Updated: 2026-06-22 15:44
VLAI
Title
Path Traversal in Loki Datasource leads to Internal Information Disclosure
Summary
The Loki datasource plugin's callResource handler contains a path traversal vulnerability. An authenticated Viewer-role user can escape the plugin's resource sandbox and access administrative Loki endpoints (e.g. /config, /services, /ready) to extract sensitive backend configuration and internal service information.
Severity
7.7 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://grafana.com/security/security-advisories/… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Grafana | Grafana OSS |
Date Public
2026-05-28 15:30
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42129",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-22T15:44:32.401117Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T15:44:43.052Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"OnPrem"
],
"product": "Grafana OSS",
"vendor": "Grafana"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "khanmarshal (Researcher)"
}
],
"datePublic": "2026-05-28T15:30:40.066Z",
"descriptions": [
{
"lang": "en",
"value": "The Loki datasource plugin\u0027s callResource handler contains a path traversal vulnerability. An authenticated Viewer-role user can escape the plugin\u0027s resource sandbox and access administrative Loki endpoints (e.g. /config, /services, /ready) to extract sensitive backend configuration and internal service information."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T13:18:27.365Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2026-42129"
}
],
"source": {
"discovery": "BUG_BOUNTY"
},
"title": "Path Traversal in Loki Datasource leads to Internal Information Disclosure",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2026-42129",
"datePublished": "2026-06-22T13:18:27.365Z",
"dateReserved": "2026-04-24T15:38:08.067Z",
"dateUpdated": "2026-06-22T15:44:43.052Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27878 (GCVE-0-2026-27878)
Vulnerability from cvelistv5 – Published: 2026-06-19 19:02 – Updated: 2026-06-22 17:10
VLAI
Title
Tempo TraceQL query with exemplar hint could result in unbounded memory usage
Summary
A TraceQL query in Grafana Tempo with a large exemplars hint value can cause the Tempo instance to allocate an excessive amount of memory, resulting in an out-of-memory crash. This could allow an authenticated user to trigger a denial of service against the Tempo service.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://grafana.com/security/security-advisories/… | vendor-advisory |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Grafana | Enterprise Traces (GET) |
Affected:
2.6.1 , < 2.8.8
(semver)
|
|
| Grafana | Tempo |
Affected:
2.6.0 , < 2.10.2
(semver)
|
Date Public
2026-03-23 19:28
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-27878",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-22T17:09:51.414285Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T17:10:04.169Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Enterprise Traces (GET)",
"vendor": "Grafana",
"versions": [
{
"lessThan": "2.8.8",
"status": "affected",
"version": "2.6.1",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Tempo",
"vendor": "Grafana",
"versions": [
{
"lessThan": "2.10.2",
"status": "affected",
"version": "2.6.0",
"versionType": "semver"
}
]
}
],
"datePublic": "2026-03-23T19:28:24.658Z",
"descriptions": [
{
"lang": "en",
"value": "A TraceQL query in Grafana Tempo with a large exemplars hint value can cause the Tempo instance to allocate an excessive amount of memory, resulting in an out-of-memory crash. This could allow an authenticated user to trigger a denial of service against the Tempo service."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T16:31:13.910Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2026-27878"
}
],
"source": {
"discovery": "INTERNAL_FINDING"
},
"title": "Tempo TraceQL query with exemplar hint could result in unbounded memory usage",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2026-27878",
"datePublished": "2026-06-19T19:02:27.028Z",
"dateReserved": "2026-02-24T14:30:17.726Z",
"dateUpdated": "2026-06-22T17:10:04.169Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-11769 (GCVE-0-2026-11769)
Vulnerability from cvelistv5 – Published: 2026-06-13 04:17 – Updated: 2026-06-16 12:01
VLAI
Title
Operator - Namespaced User Path Traversal
Summary
We have released version 5.24.0 of the Grafana Operator. This patch includes a CRITICAL severity security fix for a path traversal/privilege escalation vulnerability in the Grafana Operator.
### Summary
The Grafana Operator supports loading dashboards & library panels using the jsonnet data templating language. The jsonnet expression is evaluated in the context of the operator manager pod.
### Impact
It is possible for a malicious user who can create Dashboard or LibraryPanel resources for a Grafana instance to obtain the Kubernetes service account token of the Grafana Operator manager.
### Affected versions
All Grafana Operator versions <= 5.23
### Solutions and mitigations
All installations should be upgraded as soon as possible.
As a workaround, the following ValidatingAdmissionPolicy prevent the creation or modification of jsonnet based resources:
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicy
metadata:
name: "prevent-jsonnet-dashboards"
spec:
failurePolicy: Fail
matchConstraints:
resourceRules:
- apiGroups: ["grafana.integreatly.org"]
apiVersions: ["v1beta1"]
operations: ["CREATE", "UPDATE"]
resources: ["grafanadashboards", "grafanalibrarypanels"]
validations:
- expression: "!has(object.spec.jsonnetLib)"
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicyBinding
metadata:
name: "prevent-jsonnet-dashboards-clusterwide"
spec:
policyName: "prevent-jsonnet-dashboards"
validationActions: [Deny]
### Acknowledgement
We would like to thank Artem Cherezov for responsibly disclosing the vulnerability.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://grafana.com/security/security-advisories/… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Grafana | Grafana Operator |
Affected:
0 , ≤ 5.23.0
(semver)
|
Date Public
2026-06-12 11:17
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-11769",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-15T17:24:16.248300Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T12:01:19.738Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"OnPrem"
],
"product": "Grafana Operator",
"vendor": "Grafana",
"versions": [
{
"lessThanOrEqual": "5.23.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "cherez0ff"
}
],
"datePublic": "2026-06-12T11:17:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eWe have released version 5.24.0 of the Grafana Operator. This patch includes a CRITICAL severity security fix for a path traversal/privilege escalation vulnerability in the Grafana Operator.\u003c/p\u003e\u003cp\u003e### Summary\u003c/p\u003e\u003cp\u003eThe Grafana Operator supports loading dashboards \u0026amp; library panels using the jsonnet data templating language. The jsonnet expression is evaluated in the context of the operator manager pod.\u003c/p\u003e\u003cp\u003e### Impact\u003c/p\u003e\u003cp\u003eIt is possible for a malicious user who can create Dashboard or LibraryPanel resources for a Grafana instance to obtain the Kubernetes service account token of the Grafana Operator manager.\u003c/p\u003e\u003cp\u003e### Affected versions\u003c/p\u003e\u003cp\u003eAll Grafana Operator versions \u0026lt;= 5.23\u003c/p\u003e\u003cp\u003e### Solutions and mitigations\u003c/p\u003e\u003cp\u003eAll installations should be upgraded as soon as possible.\u003c/p\u003e\u003cp\u003eAs a workaround, the following ValidatingAdmissionPolicy prevent the creation or modification of jsonnet based resources:\u003c/p\u003e\u003cp\u003eapiVersion: admissionregistration.k8s.io/v1\u003c/p\u003e\u003cp\u003ekind: ValidatingAdmissionPolicy\u003c/p\u003e\u003cp\u003emetadata:\u003c/p\u003e\u003ccode\u003e name: \"prevent-jsonnet-dashboards\"\u003c/code\u003e\u003cbr\u003e\u003cp\u003espec:\u003c/p\u003e\u003ccode\u003e failurePolicy: Fail\u003c/code\u003e\u003cbr\u003e\u003ccode\u003e matchConstraints:\u003c/code\u003e\u003cbr\u003e\u003ccode\u003e resourceRules:\u003c/code\u003e\u003cbr\u003e\u003ccode\u003e - apiGroups: [\"grafana.integreatly.org\"]\u003c/code\u003e\u003cbr\u003e\u003ccode\u003e apiVersions: [\"v1beta1\"]\u003c/code\u003e\u003cbr\u003e\u003ccode\u003e operations: [\"CREATE\", \"UPDATE\"]\u003c/code\u003e\u003cbr\u003e\u003ccode\u003e resources: [\"grafanadashboards\", \"grafanalibrarypanels\"]\u003c/code\u003e\u003cbr\u003e\u003ccode\u003e validations:\u003c/code\u003e\u003cbr\u003e\u003ccode\u003e - expression: \"!has(object.spec.jsonnetLib)\"\u003c/code\u003e\u003cbr\u003e\u003cp\u003e---\u003c/p\u003e\u003cp\u003eapiVersion: admissionregistration.k8s.io/v1\u003c/p\u003e\u003cp\u003ekind: ValidatingAdmissionPolicyBinding\u003c/p\u003e\u003cp\u003emetadata:\u003c/p\u003e\u003ccode\u003e name: \"prevent-jsonnet-dashboards-clusterwide\"\u003c/code\u003e\u003cbr\u003e\u003cp\u003espec:\u003c/p\u003e\u003ccode\u003e policyName: \"prevent-jsonnet-dashboards\"\u003c/code\u003e\u003cbr\u003e\u003ccode\u003e validationActions: [Deny]\u003c/code\u003e\u003cbr\u003e\u003cp\u003e### Acknowledgement\u003c/p\u003e\u003cp\u003eWe would like to thank Artem Cherezov for responsibly disclosing the vulnerability.\u003c/p\u003e"
}
],
"value": "We have released version 5.24.0 of the Grafana Operator. This patch includes a CRITICAL severity security fix for a path traversal/privilege escalation vulnerability in the Grafana Operator.\n\n\n\n### Summary\n\n\n\nThe Grafana Operator supports loading dashboards \u0026 library panels using the jsonnet data templating language. The jsonnet expression is evaluated in the context of the operator manager pod.\n\n\n\n### Impact\n\n\n\nIt is possible for a malicious user who can create Dashboard or LibraryPanel resources for a Grafana instance to obtain the Kubernetes service account token of the Grafana Operator manager.\n\n\n\n### Affected versions\n\n\n\nAll Grafana Operator versions \u003c= 5.23\n\n\n\n### Solutions and mitigations\n\n\n\nAll installations should be upgraded as soon as possible.\n\n\n\nAs a workaround, the following ValidatingAdmissionPolicy prevent the creation or modification of jsonnet based resources:\n\n\n\napiVersion: admissionregistration.k8s.io/v1\n\n\n\nkind: ValidatingAdmissionPolicy\n\n\n\nmetadata:\n\n name: \"prevent-jsonnet-dashboards\"\n\n\nspec:\n\n failurePolicy: Fail\n matchConstraints:\n resourceRules:\n - apiGroups: [\"grafana.integreatly.org\"]\n apiVersions: [\"v1beta1\"]\n operations: [\"CREATE\", \"UPDATE\"]\n resources: [\"grafanadashboards\", \"grafanalibrarypanels\"]\n validations:\n - expression: \"!has(object.spec.jsonnetLib)\"\n\n\n---\n\n\n\napiVersion: admissionregistration.k8s.io/v1\n\n\n\nkind: ValidatingAdmissionPolicyBinding\n\n\n\nmetadata:\n\n name: \"prevent-jsonnet-dashboards-clusterwide\"\n\n\nspec:\n\n policyName: \"prevent-jsonnet-dashboards\"\n validationActions: [Deny]\n\n\n### Acknowledgement\n\n\n\nWe would like to thank Artem Cherezov for responsibly disclosing the vulnerability."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-13T04:17:41.099Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2026-11769"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Operator - Namespaced User Path Traversal",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2026-11769",
"datePublished": "2026-06-13T04:17:41.099Z",
"dateReserved": "2026-06-09T10:52:06.229Z",
"dateUpdated": "2026-06-16T12:01:19.738Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-28374 (GCVE-0-2026-28374)
Vulnerability from cvelistv5 – Published: 2026-05-13 19:28 – Updated: 2026-06-22 16:31
VLAI
Title
IDOR in Annotations API allows unprivileged users to DELETE annotation
Summary
Editors could delete any annotation, even those they do not have read access to. The editor user cannot create or read the annotations.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-284 - Improper Access Control
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://grafana.com/security/security-advisories/… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Grafana | Grafana OSS |
Affected:
8.5.0 , ≤ 11.6.14
(semver)
Affected: 11.6.14 , < 11.6.14+security-04 (custom) Affected: 12.0.0 , ≤ 12.2.8 (semver) Affected: 12.2.8 , < 12.2.8+security-04 (custom) Affected: 12.3.0 , ≤ 12.3.6 (semver) Affected: 12.3.6 , < 12.3.6+security-04 (custom) Affected: 12.4.0 , ≤ 12.4.3 (semver) Affected: 12.4.3 , < 12.4.3+security-02 (custom) Affected: 13.0.0 , ≤ 13.0.1 (semver) Affected: 13.0.1 , < 13.0.1+security-01 (custom) |
Date Public
2026-05-13 07:44
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-28374",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T12:32:58.713813Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T12:33:13.749Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Grafana OSS",
"vendor": "Grafana",
"versions": [
{
"lessThanOrEqual": "11.6.14",
"status": "affected",
"version": "8.5.0",
"versionType": "semver"
},
{
"lessThan": "11.6.14+security-04",
"status": "affected",
"version": "11.6.14",
"versionType": "custom"
},
{
"lessThanOrEqual": "12.2.8",
"status": "affected",
"version": "12.0.0",
"versionType": "semver"
},
{
"lessThan": "12.2.8+security-04",
"status": "affected",
"version": "12.2.8",
"versionType": "custom"
},
{
"lessThanOrEqual": "12.3.6",
"status": "affected",
"version": "12.3.0",
"versionType": "semver"
},
{
"lessThan": "12.3.6+security-04",
"status": "affected",
"version": "12.3.6",
"versionType": "custom"
},
{
"lessThanOrEqual": "12.4.3",
"status": "affected",
"version": "12.4.0",
"versionType": "semver"
},
{
"lessThan": "12.4.3+security-02",
"status": "affected",
"version": "12.4.3",
"versionType": "custom"
},
{
"lessThanOrEqual": "13.0.1",
"status": "affected",
"version": "13.0.0",
"versionType": "semver"
},
{
"lessThan": "13.0.1+security-01",
"status": "affected",
"version": "13.0.1",
"versionType": "custom"
}
]
}
],
"datePublic": "2026-05-13T07:44:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Editors could delete any annotation, even those they do not have read access to. The editor user cannot create or read the annotations."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T16:31:30.736Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2026-28374"
}
],
"source": {
"discovery": "BUG_BOUNTY"
},
"title": "IDOR in Annotations API allows unprivileged users to DELETE annotation",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2026-28374",
"datePublished": "2026-05-13T19:28:40.053Z",
"dateReserved": "2026-02-27T07:16:12.218Z",
"dateUpdated": "2026-06-22T16:31:30.736Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33378 (GCVE-0-2026-33378)
Vulnerability from cvelistv5 – Published: 2026-05-13 19:28 – Updated: 2026-06-22 16:31
VLAI
Title
Grafana Data Source Plugin: DoS (OOM) via Negative Interval Injection in $__timeGroup Macro
Summary
Using the $__timeGroup macro, one can achieve an OOM by overloading the server. This requires a SQL datasource. If the server is set up to auto-restart, the impact is minimal or non-existent, as the attack can take upwards of half an hour to crash the server.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://grafana.com/security/security-advisories/… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Grafana | Grafana OSS |
Affected:
8.0.0 , ≤ 11.6.14
(semver)
Affected: 11.6.14 , < 11.6.14+security-04 (custom) Affected: 12.0.0 , ≤ 12.2.8 (semver) Affected: 12.2.8 , < 12.2.8+security-04 (custom) Affected: 12.3.0 , ≤ 12.3.6 (semver) Affected: 12.3.6 , < 12.3.6+security-04 (custom) Affected: 12.4.0 , ≤ 12.4.3 (semver) Affected: 12.4.3 , < 12.4.3+security-02 (custom) Affected: 13.0.0 , ≤ 13.0.1 (semver) Affected: 13.0.1 , < 13.0.1+security-01 (custom) |
Date Public
2026-05-13 07:44
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33378",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T12:33:44.094482Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T12:33:58.842Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Grafana OSS",
"vendor": "Grafana",
"versions": [
{
"lessThanOrEqual": "11.6.14",
"status": "affected",
"version": "8.0.0",
"versionType": "semver"
},
{
"lessThan": "11.6.14+security-04",
"status": "affected",
"version": "11.6.14",
"versionType": "custom"
},
{
"lessThanOrEqual": "12.2.8",
"status": "affected",
"version": "12.0.0",
"versionType": "semver"
},
{
"lessThan": "12.2.8+security-04",
"status": "affected",
"version": "12.2.8",
"versionType": "custom"
},
{
"lessThanOrEqual": "12.3.6",
"status": "affected",
"version": "12.3.0",
"versionType": "semver"
},
{
"lessThan": "12.3.6+security-04",
"status": "affected",
"version": "12.3.6",
"versionType": "custom"
},
{
"lessThanOrEqual": "12.4.3",
"status": "affected",
"version": "12.4.0",
"versionType": "semver"
},
{
"lessThan": "12.4.3+security-02",
"status": "affected",
"version": "12.4.3",
"versionType": "custom"
},
{
"lessThanOrEqual": "13.0.1",
"status": "affected",
"version": "13.0.0",
"versionType": "semver"
},
{
"lessThan": "13.0.1+security-01",
"status": "affected",
"version": "13.0.1",
"versionType": "custom"
}
]
}
],
"datePublic": "2026-05-13T07:44:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Using the $__timeGroup macro, one can achieve an OOM by overloading the server. This requires a SQL datasource. If the server is set up to auto-restart, the impact is minimal or non-existent, as the attack can take upwards of half an hour to crash the server."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T16:31:25.643Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2026-33378"
}
],
"source": {
"discovery": "BUG_BOUNTY"
},
"title": "Grafana Data Source Plugin: DoS (OOM) via Negative Interval Injection in $__timeGroup Macro",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2026-33378",
"datePublished": "2026-05-13T19:28:37.606Z",
"dateReserved": "2026-03-19T07:55:06.977Z",
"dateUpdated": "2026-06-22T16:31:25.643Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-28383 (GCVE-0-2026-28383)
Vulnerability from cvelistv5 – Published: 2026-05-13 19:28 – Updated: 2026-06-22 16:31
VLAI
Title
Grafana plugin resources can lead to unbounded memory allocation
Summary
A request to the Grafana plugin resources endpoint can cause unbounded memory allocation by reading the entire request body into memory. An authenticated user can exploit this to trigger an out-of-memory condition, potentially causing a denial of service.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://grafana.com/security/security-advisories/… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Grafana | Grafana OSS |
Affected:
6.7.0 , ≤ 11.6.14
(semver)
Affected: 11.6.14 , < 11.6.14+security-04 (custom) Affected: 12.0.0 , ≤ 12.2.8 (semver) Affected: 12.2.8 , < 12.2.8+security-04 (custom) Affected: 12.3.0 , ≤ 12.3.6 (semver) Affected: 12.3.6 , < 12.3.6+security-04 (custom) Affected: 12.4.0 , ≤ 12.4.3 (semver) Affected: 12.4.3 , < 12.4.3+security-02 (custom) Affected: 13.0.0 , ≤ 13.0.1 (semver) Affected: 13.0.1 , < 13.0.1+security-01 (custom) |
Date Public
2026-05-13 07:44
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-28383",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T12:35:48.301448Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T12:36:22.328Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Grafana OSS",
"vendor": "Grafana",
"versions": [
{
"lessThanOrEqual": "11.6.14",
"status": "affected",
"version": "6.7.0",
"versionType": "semver"
},
{
"lessThan": "11.6.14+security-04",
"status": "affected",
"version": "11.6.14",
"versionType": "custom"
},
{
"lessThanOrEqual": "12.2.8",
"status": "affected",
"version": "12.0.0",
"versionType": "semver"
},
{
"lessThan": "12.2.8+security-04",
"status": "affected",
"version": "12.2.8",
"versionType": "custom"
},
{
"lessThanOrEqual": "12.3.6",
"status": "affected",
"version": "12.3.0",
"versionType": "semver"
},
{
"lessThan": "12.3.6+security-04",
"status": "affected",
"version": "12.3.6",
"versionType": "custom"
},
{
"lessThanOrEqual": "12.4.3",
"status": "affected",
"version": "12.4.0",
"versionType": "semver"
},
{
"lessThan": "12.4.3+security-02",
"status": "affected",
"version": "12.4.3",
"versionType": "custom"
},
{
"lessThanOrEqual": "13.0.1",
"status": "affected",
"version": "13.0.0",
"versionType": "semver"
},
{
"lessThan": "13.0.1+security-01",
"status": "affected",
"version": "13.0.1",
"versionType": "custom"
}
]
}
],
"datePublic": "2026-05-13T07:44:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A request to the Grafana plugin resources endpoint can cause unbounded memory allocation by reading the entire request body into memory. An authenticated user can exploit this to trigger an out-of-memory condition, potentially causing a denial of service."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T16:31:12.042Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2026-28383"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Grafana plugin resources can lead to unbounded memory allocation",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2026-28383",
"datePublished": "2026-05-13T19:28:36.952Z",
"dateReserved": "2026-02-27T07:16:12.219Z",
"dateUpdated": "2026-06-22T16:31:12.042Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33376 (GCVE-0-2026-33376)
Vulnerability from cvelistv5 – Published: 2026-05-13 19:28 – Updated: 2026-06-22 16:31
VLAI
Title
Auth Proxy IPv6 whitelist bypass
Summary
When using an IPv6 allow-list for the Auth Proxy feature, it defaults to /32 addresses. Addresses specifying a mask explicitly are not affected; to mitigate easily, add the desired mask (usually /128) to the addresses. Only auth proxy is affected; Okta, SAML, LDAP, etc are unaffected here.
Severity
7.4 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-1188 - Initialization of a Resource with an Insecure Default
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://grafana.com/security/security-advisories/… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Grafana | Grafana OSS |
Affected:
9.4.0 , ≤ 11.6.14
(semver)
Affected: 11.6.14 , < 11.6.14+security-04 (custom) Affected: 12.0.0 , ≤ 12.2.8 (semver) Affected: 12.2.8 , < 12.2.8+security-04 (custom) Affected: 12.3.0 , ≤ 12.3.6 (semver) Affected: 12.3.6 , < 12.3.6+security-04 (custom) Affected: 12.4.0 , ≤ 12.4.3 (semver) Affected: 12.4.3 , < 12.4.3+security-02 (custom) Affected: 13.0.0 , ≤ 13.0.1 (semver) Affected: 13.0.1 , < 13.0.1+security-01 (custom) |
Date Public
2026-05-13 07:44
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33376",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-15T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1188",
"description": "CWE-1188 Initialization of a Resource with an Insecure Default",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-16T03:56:01.168Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Grafana OSS",
"vendor": "Grafana",
"versions": [
{
"lessThanOrEqual": "11.6.14",
"status": "affected",
"version": "9.4.0",
"versionType": "semver"
},
{
"lessThan": "11.6.14+security-04",
"status": "affected",
"version": "11.6.14",
"versionType": "custom"
},
{
"lessThanOrEqual": "12.2.8",
"status": "affected",
"version": "12.0.0",
"versionType": "semver"
},
{
"lessThan": "12.2.8+security-04",
"status": "affected",
"version": "12.2.8",
"versionType": "custom"
},
{
"lessThanOrEqual": "12.3.6",
"status": "affected",
"version": "12.3.0",
"versionType": "semver"
},
{
"lessThan": "12.3.6+security-04",
"status": "affected",
"version": "12.3.6",
"versionType": "custom"
},
{
"lessThanOrEqual": "12.4.3",
"status": "affected",
"version": "12.4.0",
"versionType": "semver"
},
{
"lessThan": "12.4.3+security-02",
"status": "affected",
"version": "12.4.3",
"versionType": "custom"
},
{
"lessThanOrEqual": "13.0.1",
"status": "affected",
"version": "13.0.0",
"versionType": "semver"
},
{
"lessThan": "13.0.1+security-01",
"status": "affected",
"version": "13.0.1",
"versionType": "custom"
}
]
}
],
"datePublic": "2026-05-13T07:44:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "When using an IPv6 allow-list for the Auth Proxy feature, it defaults to /32 addresses. Addresses specifying a mask explicitly are not affected; to mitigate easily, add the desired mask (usually /128) to the addresses. Only auth proxy is affected; Okta, SAML, LDAP, etc are unaffected here."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.4,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T16:31:29.856Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2026-33376"
}
],
"source": {
"discovery": "BUG_BOUNTY"
},
"title": "Auth Proxy IPv6 whitelist bypass",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2026-33376",
"datePublished": "2026-05-13T19:28:34.473Z",
"dateReserved": "2026-03-19T07:55:06.977Z",
"dateUpdated": "2026-06-22T16:31:29.856Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33380 (GCVE-0-2026-33380)
Vulnerability from cvelistv5 – Published: 2026-05-13 19:28 – Updated: 2026-06-22 16:31
VLAI
Title
SQL Expressions Read File From Disk
Summary
A vulnerability in SQL Expressions allows an authenticated attacker to read arbitrary files from the Grafana server's filesystem. Only instances with the sqlExpressions feature toggle enabled are vulnerable.
Severity
6.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-552 - Files or Directories Accessible to External Parties
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://grafana.com/security/security-advisories/… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Grafana | Grafana OSS |
Affected:
11.6.0 , ≤ 11.6.14
(semver)
Affected: 11.6.14 , < 11.6.14+security-04 (custom) Affected: 12.0.0 , ≤ 12.2.8 (semver) Affected: 12.2.8 , < 12.2.8+security-04 (custom) Affected: 12.3.0 , ≤ 12.3.6 (semver) Affected: 12.3.6 , < 12.3.6+security-04 (custom) Affected: 12.4.0 , ≤ 12.4.3 (semver) Affected: 12.4.3 , < 12.4.3+security-02 (custom) Affected: 13.0.0 , ≤ 13.0.1 (semver) Affected: 13.0.1 , < 13.0.1+security-01 (custom) |
Date Public
2026-05-13 07:44
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33380",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T15:12:34.365612Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-552",
"description": "CWE-552 Files or Directories Accessible to External Parties",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T15:12:46.748Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Grafana OSS",
"vendor": "Grafana",
"versions": [
{
"lessThanOrEqual": "11.6.14",
"status": "affected",
"version": "11.6.0",
"versionType": "semver"
},
{
"lessThan": "11.6.14+security-04",
"status": "affected",
"version": "11.6.14",
"versionType": "custom"
},
{
"lessThanOrEqual": "12.2.8",
"status": "affected",
"version": "12.0.0",
"versionType": "semver"
},
{
"lessThan": "12.2.8+security-04",
"status": "affected",
"version": "12.2.8",
"versionType": "custom"
},
{
"lessThanOrEqual": "12.3.6",
"status": "affected",
"version": "12.3.0",
"versionType": "semver"
},
{
"lessThan": "12.3.6+security-04",
"status": "affected",
"version": "12.3.6",
"versionType": "custom"
},
{
"lessThanOrEqual": "12.4.3",
"status": "affected",
"version": "12.4.0",
"versionType": "semver"
},
{
"lessThan": "12.4.3+security-02",
"status": "affected",
"version": "12.4.3",
"versionType": "custom"
},
{
"lessThanOrEqual": "13.0.1",
"status": "affected",
"version": "13.0.0",
"versionType": "semver"
},
{
"lessThan": "13.0.1+security-01",
"status": "affected",
"version": "13.0.1",
"versionType": "custom"
}
]
}
],
"datePublic": "2026-05-13T07:44:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in SQL Expressions allows an authenticated attacker to read arbitrary files from the Grafana server\u0027s filesystem. Only instances with the sqlExpressions feature toggle enabled are vulnerable."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T16:31:12.990Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2026-33380"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "SQL Expressions Read File From Disk",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2026-33380",
"datePublished": "2026-05-13T19:28:32.915Z",
"dateReserved": "2026-03-19T07:55:06.978Z",
"dateUpdated": "2026-06-22T16:31:12.990Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-28380 (GCVE-0-2026-28380)
Vulnerability from cvelistv5 – Published: 2026-05-13 19:28 – Updated: 2026-06-22 16:31
VLAI
Title
BAC in Snapshot API allows deletion of unauthorized dashboard snapshots
Summary
Any Editor could delete any snapshot, even if they have no access to read or write them.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://grafana.com/security/security-advisories/… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Grafana | Grafana OSS |
Affected:
9.4.0 , ≤ 11.6.14
(semver)
Affected: 11.6.14 , < 11.6.14+security-04 (custom) Affected: 12.0.0 , ≤ 12.2.8 (semver) Affected: 12.2.8 , < 12.2.8+security-04 (custom) Affected: 12.3.0 , ≤ 12.3.6 (semver) Affected: 12.3.6 , < 12.3.6+security-04 (custom) Affected: 12.4.0 , ≤ 12.4.3 (semver) Affected: 12.4.3 , < 12.4.3+security-02 (custom) Affected: 13.0.0 , ≤ 13.0.1 (semver) Affected: 13.0.1 , < 13.0.1+security-01 (custom) |
Date Public
2026-05-13 07:44
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-28380",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T15:54:58.435055Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T15:55:03.357Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Grafana OSS",
"vendor": "Grafana",
"versions": [
{
"lessThanOrEqual": "11.6.14",
"status": "affected",
"version": "9.4.0",
"versionType": "semver"
},
{
"lessThan": "11.6.14+security-04",
"status": "affected",
"version": "11.6.14",
"versionType": "custom"
},
{
"lessThanOrEqual": "12.2.8",
"status": "affected",
"version": "12.0.0",
"versionType": "semver"
},
{
"lessThan": "12.2.8+security-04",
"status": "affected",
"version": "12.2.8",
"versionType": "custom"
},
{
"lessThanOrEqual": "12.3.6",
"status": "affected",
"version": "12.3.0",
"versionType": "semver"
},
{
"lessThan": "12.3.6+security-04",
"status": "affected",
"version": "12.3.6",
"versionType": "custom"
},
{
"lessThanOrEqual": "12.4.3",
"status": "affected",
"version": "12.4.0",
"versionType": "semver"
},
{
"lessThan": "12.4.3+security-02",
"status": "affected",
"version": "12.4.3",
"versionType": "custom"
},
{
"lessThanOrEqual": "13.0.1",
"status": "affected",
"version": "13.0.0",
"versionType": "semver"
},
{
"lessThan": "13.0.1+security-01",
"status": "affected",
"version": "13.0.1",
"versionType": "custom"
}
]
}
],
"datePublic": "2026-05-13T07:44:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Any Editor could delete any snapshot, even if they have no access to read or write them."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T16:31:18.705Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2026-28380"
}
],
"source": {
"discovery": "BUG_BOUNTY"
},
"title": "BAC in Snapshot API allows deletion of unauthorized dashboard snapshots",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2026-28380",
"datePublished": "2026-05-13T19:28:32.257Z",
"dateReserved": "2026-02-27T07:16:12.218Z",
"dateUpdated": "2026-06-22T16:31:18.705Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33381 (GCVE-0-2026-33381)
Vulnerability from cvelistv5 – Published: 2026-05-13 19:28 – Updated: 2026-06-22 16:31
VLAI
Title
Users can generate Service Account tokens after permissions removal
Summary
When a user's access to mint tokens for a service account is revoked, it is sometimes still possible to do so for a few seconds after the event. The user will eventually lose access to do this.
Severity
5.9 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-284 - Improper Access Control
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://grafana.com/security/security-advisories/… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Grafana | Grafana OSS |
Affected:
9.2.0 , ≤ 11.6.14
(semver)
Affected: 11.6.14 , < 11.6.14+security-04 (custom) Affected: 12.0.0 , ≤ 12.2.8 (semver) Affected: 12.2.8 , < 12.2.8+security-04 (custom) Affected: 12.3.0 , ≤ 12.3.6 (semver) Affected: 12.3.6 , < 12.3.6+security-04 (custom) Affected: 12.4.0 , ≤ 12.4.3 (semver) Affected: 12.4.3 , < 12.4.3+security-02 (custom) Affected: 13.0.0 , ≤ 13.0.1 (semver) Affected: 13.0.1 , < 13.0.1+security-01 (custom) |
Date Public
2026-05-13 07:44
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33381",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-15T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-16T03:55:59.990Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Grafana OSS",
"vendor": "Grafana",
"versions": [
{
"lessThanOrEqual": "11.6.14",
"status": "affected",
"version": "9.2.0",
"versionType": "semver"
},
{
"lessThan": "11.6.14+security-04",
"status": "affected",
"version": "11.6.14",
"versionType": "custom"
},
{
"lessThanOrEqual": "12.2.8",
"status": "affected",
"version": "12.0.0",
"versionType": "semver"
},
{
"lessThan": "12.2.8+security-04",
"status": "affected",
"version": "12.2.8",
"versionType": "custom"
},
{
"lessThanOrEqual": "12.3.6",
"status": "affected",
"version": "12.3.0",
"versionType": "semver"
},
{
"lessThan": "12.3.6+security-04",
"status": "affected",
"version": "12.3.6",
"versionType": "custom"
},
{
"lessThanOrEqual": "12.4.3",
"status": "affected",
"version": "12.4.0",
"versionType": "semver"
},
{
"lessThan": "12.4.3+security-02",
"status": "affected",
"version": "12.4.3",
"versionType": "custom"
},
{
"lessThanOrEqual": "13.0.1",
"status": "affected",
"version": "13.0.0",
"versionType": "semver"
},
{
"lessThan": "13.0.1+security-01",
"status": "affected",
"version": "13.0.1",
"versionType": "custom"
}
]
}
],
"datePublic": "2026-05-13T07:44:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "When a user\u0027s access to mint tokens for a service account is revoked, it is sometimes still possible to do so for a few seconds after the event. The user will eventually lose access to do this."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T16:31:11.099Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2026-33381"
}
],
"source": {
"discovery": "BUG_BOUNTY"
},
"title": "Users can generate Service Account tokens after permissions removal",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2026-33381",
"datePublished": "2026-05-13T19:28:31.559Z",
"dateReserved": "2026-03-19T07:55:06.978Z",
"dateUpdated": "2026-06-22T16:31:11.099Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33377 (GCVE-0-2026-33377)
Vulnerability from cvelistv5 – Published: 2026-05-13 19:28 – Updated: 2026-06-22 16:31
VLAI
Title
Dashboard Import Overwrites ACL — Editor Privilege Escalation to Dashboard Admin
Summary
An Editor can overwrite a dashboard not owned by them to acquire admin on that specific dashboard. The user must have write access to the dashboard to escalate privilege.
Severity
7.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-284 - Improper Access Control
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://grafana.com/security/security-advisories/… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Grafana | Grafana OSS |
Affected:
8.5.0 , ≤ 11.6.14
(semver)
Affected: 11.6.14 , < 11.6.14+security-04 (custom) Affected: 12.0.0 , ≤ 12.2.8 (semver) Affected: 12.2.8 , < 12.2.8+security-04 (custom) Affected: 12.3.0 , ≤ 12.3.6 (semver) Affected: 12.3.6 , < 12.3.6+security-04 (custom) Affected: 12.4.0 , ≤ 12.4.3 (semver) Affected: 12.4.3 , < 12.4.3+security-02 (custom) Affected: 13.0.0 , ≤ 13.0.1 (semver) Affected: 13.0.1 , < 13.0.1+security-01 (custom) |
Date Public
2026-05-13 07:44
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33377",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-16T03:55:59.661383Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-18T18:33:09.317Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Grafana OSS",
"vendor": "Grafana",
"versions": [
{
"lessThanOrEqual": "11.6.14",
"status": "affected",
"version": "8.5.0",
"versionType": "semver"
},
{
"lessThan": "11.6.14+security-04",
"status": "affected",
"version": "11.6.14",
"versionType": "custom"
},
{
"lessThanOrEqual": "12.2.8",
"status": "affected",
"version": "12.0.0",
"versionType": "semver"
},
{
"lessThan": "12.2.8+security-04",
"status": "affected",
"version": "12.2.8",
"versionType": "custom"
},
{
"lessThanOrEqual": "12.3.6",
"status": "affected",
"version": "12.3.0",
"versionType": "semver"
},
{
"lessThan": "12.3.6+security-04",
"status": "affected",
"version": "12.3.6",
"versionType": "custom"
},
{
"lessThanOrEqual": "12.4.3",
"status": "affected",
"version": "12.4.0",
"versionType": "semver"
},
{
"lessThan": "12.4.3+security-02",
"status": "affected",
"version": "12.4.3",
"versionType": "custom"
},
{
"lessThanOrEqual": "13.0.1",
"status": "affected",
"version": "13.0.0",
"versionType": "semver"
},
{
"lessThan": "13.0.1+security-01",
"status": "affected",
"version": "13.0.1",
"versionType": "custom"
}
]
}
],
"datePublic": "2026-05-13T07:44:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "An Editor can overwrite a dashboard not owned by them to acquire admin on that specific dashboard. The user must have write access to the dashboard to escalate privilege."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T16:31:20.472Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2026-33377"
}
],
"source": {
"discovery": "BUG_BOUNTY"
},
"title": "Dashboard Import Overwrites ACL \u2014 Editor Privilege Escalation to Dashboard Admin",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2026-33377",
"datePublished": "2026-05-13T19:28:28.154Z",
"dateReserved": "2026-03-19T07:55:06.977Z",
"dateUpdated": "2026-06-22T16:31:20.472Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-28376 (GCVE-0-2026-28376)
Vulnerability from cvelistv5 – Published: 2026-05-13 19:28 – Updated: 2026-06-22 16:31
VLAI
Title
Grafana Live push endpoint allows unbounded memory allocation leading to OOM
Summary
The Grafana Live push endpoint can be exploited to cause unbounded memory allocation by sending a large or streaming request body, potentially leading to out-of-memory conditions. An authenticated user with access to the Grafana Live API can trigger this issue.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://grafana.com/security/security-advisories/… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Grafana | Grafana OSS |
Affected:
8.0.0 , ≤ 11.6.14
(semver)
Affected: 11.6.14 , < 11.6.14+security-04 (custom) Affected: 12.0.0 , ≤ 12.2.8 (semver) Affected: 12.2.8 , < 12.2.8+security-04 (custom) Affected: 12.3.0 , ≤ 12.3.6 (semver) Affected: 12.3.6 , < 12.3.6+security-04 (custom) Affected: 12.4.0 , ≤ 12.4.3 (semver) Affected: 12.4.3 , < 12.4.3+security-02 (custom) Affected: 13.0.0 , ≤ 13.0.1 (semver) Affected: 13.0.1 , < 13.0.1+security-01 (custom) |
Date Public
2026-05-13 07:44
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-28376",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T18:10:50.762919Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T18:10:54.005Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Grafana OSS",
"vendor": "Grafana",
"versions": [
{
"lessThanOrEqual": "11.6.14",
"status": "affected",
"version": "8.0.0",
"versionType": "semver"
},
{
"lessThan": "11.6.14+security-04",
"status": "affected",
"version": "11.6.14",
"versionType": "custom"
},
{
"lessThanOrEqual": "12.2.8",
"status": "affected",
"version": "12.0.0",
"versionType": "semver"
},
{
"lessThan": "12.2.8+security-04",
"status": "affected",
"version": "12.2.8",
"versionType": "custom"
},
{
"lessThanOrEqual": "12.3.6",
"status": "affected",
"version": "12.3.0",
"versionType": "semver"
},
{
"lessThan": "12.3.6+security-04",
"status": "affected",
"version": "12.3.6",
"versionType": "custom"
},
{
"lessThanOrEqual": "12.4.3",
"status": "affected",
"version": "12.4.0",
"versionType": "semver"
},
{
"lessThan": "12.4.3+security-02",
"status": "affected",
"version": "12.4.3",
"versionType": "custom"
},
{
"lessThanOrEqual": "13.0.1",
"status": "affected",
"version": "13.0.0",
"versionType": "semver"
},
{
"lessThan": "13.0.1+security-01",
"status": "affected",
"version": "13.0.1",
"versionType": "custom"
}
]
}
],
"datePublic": "2026-05-13T07:44:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The Grafana Live push endpoint can be exploited to cause unbounded memory allocation by sending a large or streaming request body, potentially leading to out-of-memory conditions. An authenticated user with access to the Grafana Live API can trigger this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T16:31:16.944Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2026-28376"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Grafana Live push endpoint allows unbounded memory allocation leading to OOM",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2026-28376",
"datePublished": "2026-05-13T19:28:26.544Z",
"dateReserved": "2026-02-27T07:16:12.218Z",
"dateUpdated": "2026-06-22T16:31:16.944Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-28379 (GCVE-0-2026-28379)
Vulnerability from cvelistv5 – Published: 2026-05-13 19:28 – Updated: 2026-06-22 16:31
VLAI
Title
Viewer-triggered race condition in Grafana Live leads to complete server crash
Summary
A race condition in Grafana Live allows authenticated users with Viewer role to trigger a server crash by sending concurrent requests that cause a fatal map access error. This results in complete service unavailability requiring restart of the Grafana server.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://grafana.com/security/security-advisories/… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Grafana | Grafana OSS |
Affected:
8.2.0 , ≤ 11.6.14
(semver)
Affected: 11.6.14 , < 11.6.14+security-04 (custom) Affected: 12.0.0 , ≤ 12.2.8 (semver) Affected: 12.2.8 , < 12.2.8+security-04 (custom) Affected: 12.3.0 , ≤ 12.3.6 (semver) Affected: 12.3.6 , < 12.3.6+security-04 (custom) Affected: 12.4.0 , ≤ 12.4.3 (semver) Affected: 12.4.3 , < 12.4.3+security-02 (custom) Affected: 13.0.0 , ≤ 13.0.1 (semver) Affected: 13.0.1 , < 13.0.1+security-01 (custom) |
Date Public
2026-05-13 07:44
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-28379",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T18:12:23.118907Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-362",
"description": "CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T18:12:49.850Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Grafana OSS",
"vendor": "Grafana",
"versions": [
{
"lessThanOrEqual": "11.6.14",
"status": "affected",
"version": "8.2.0",
"versionType": "semver"
},
{
"lessThan": "11.6.14+security-04",
"status": "affected",
"version": "11.6.14",
"versionType": "custom"
},
{
"lessThanOrEqual": "12.2.8",
"status": "affected",
"version": "12.0.0",
"versionType": "semver"
},
{
"lessThan": "12.2.8+security-04",
"status": "affected",
"version": "12.2.8",
"versionType": "custom"
},
{
"lessThanOrEqual": "12.3.6",
"status": "affected",
"version": "12.3.0",
"versionType": "semver"
},
{
"lessThan": "12.3.6+security-04",
"status": "affected",
"version": "12.3.6",
"versionType": "custom"
},
{
"lessThanOrEqual": "12.4.3",
"status": "affected",
"version": "12.4.0",
"versionType": "semver"
},
{
"lessThan": "12.4.3+security-02",
"status": "affected",
"version": "12.4.3",
"versionType": "custom"
},
{
"lessThanOrEqual": "13.0.1",
"status": "affected",
"version": "13.0.0",
"versionType": "semver"
},
{
"lessThan": "13.0.1+security-01",
"status": "affected",
"version": "13.0.1",
"versionType": "custom"
}
]
}
],
"datePublic": "2026-05-13T07:44:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A race condition in Grafana Live allows authenticated users with Viewer role to trigger a server crash by sending concurrent requests that cause a fatal map access error. This results in complete service unavailability requiring restart of the Grafana server."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T16:31:26.610Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2026-28379"
}
],
"source": {
"discovery": "BUG_BOUNTY"
},
"title": "Viewer-triggered race condition in Grafana Live leads to complete server crash",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2026-28379",
"datePublished": "2026-05-13T19:28:25.836Z",
"dateReserved": "2026-02-27T07:16:12.218Z",
"dateUpdated": "2026-06-22T16:31:26.610Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-21728 (GCVE-0-2026-21728)
Vulnerability from cvelistv5 – Published: 2026-04-24 08:00 – Updated: 2026-06-22 16:31
VLAI
Title
Tempo query limit results in unbounded memory allocation
Summary
Tempo queries with large limits can cause large memory allocations which can impact the availability of the service, depending on its deployment strategy.
Mitigation can be done by setting max_result_limit in the search config, e.g. to 262144 (2^18).
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://grafana.com/security/security-advisories/… | vendor-advisory |
Impacted products
Date Public
2026-02-23 07:40
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-21728",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-24T11:29:58.649315Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T13:06:58.775Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Tempo",
"vendor": "Grafana",
"versions": [
{
"lessThan": "v2.11.0",
"status": "affected",
"version": "v1.3.0",
"versionType": "semver"
}
]
}
],
"datePublic": "2026-02-23T07:40:45.862Z",
"descriptions": [
{
"lang": "en",
"value": "Tempo queries with large limits can cause large memory allocations which can impact the availability of the service, depending on its deployment strategy.\n\nMitigation can be done by setting max_result_limit in the search config, e.g. to 262144 (2^18)."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T16:31:21.327Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2026-21728"
}
],
"source": {
"discovery": "INTERNAL_FINDING"
},
"title": "Tempo query limit results in unbounded memory allocation",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2026-21728",
"datePublished": "2026-04-24T08:00:47.074Z",
"dateReserved": "2026-01-05T09:26:06.215Z",
"dateUpdated": "2026-06-22T16:31:21.327Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-21726 (GCVE-0-2026-21726)
Vulnerability from cvelistv5 – Published: 2026-04-15 19:24 – Updated: 2026-06-22 16:31
VLAI
Title
Loki Path Traversal - CVE-2021-36156 Bypass
Summary
The CVE-2021-36156 fix validates the namespace parameter for path traversal sequences after a single URL decode, by double encoding, an attacker can read files at the Ruler API endpoint /loki/api/v1/rules/{namespace}
Thanks to Prasanth Sundararajan for reporting this vulnerability.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://grafana.com/security/security-advisories/… | vendor-advisory |
Date Public
2026-04-15 19:20
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-21726",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-15T20:01:24.769436Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-20T18:58:17.749Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Loki",
"vendor": "Grafana",
"versions": [
{
"lessThan": "3.5.9",
"status": "affected",
"version": "2.3.0",
"versionType": "semver"
}
]
}
],
"datePublic": "2026-04-15T19:20:00.780Z",
"descriptions": [
{
"lang": "en",
"value": "The CVE-2021-36156 fix validates the namespace parameter for path traversal sequences after a single URL decode, by double encoding, an attacker can read files at the Ruler API endpoint /loki/api/v1/rules/{namespace}\n\nThanks to Prasanth Sundararajan for reporting this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T16:31:16.043Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2026-21726"
}
],
"source": {
"discovery": "BUG_BOUNTY"
},
"title": "Loki Path Traversal - CVE-2021-36156 Bypass",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2026-21726",
"datePublished": "2026-04-15T19:24:31.268Z",
"dateReserved": "2026-01-05T09:26:06.215Z",
"dateUpdated": "2026-06-22T16:31:16.043Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-41118 (GCVE-0-2025-41118)
Vulnerability from cvelistv5 – Published: 2026-04-15 19:15 – Updated: 2026-06-22 16:31
VLAI
Title
Sensitive COS `SecretKey` exposed in plaintext via configuration API due to missing type protection
Summary
Pyroscope is an open-source continuous profiling database. The database supports various storage backends, including Tencent Cloud Object Storage (COS).
If the database is configured to use Tencent COS as the storage backend, an attacker could extract the secret_key configuration value from the Pyroscope API.
To exploit this vulnerability, an attacker needs direct access to the Pyroscope API. We highly recommend limiting the public internet exposure of all our databases, such that they are only accessible by trusted users or internal systems.
This vulnerability is fixed in versions:
1.15.x: 1.15.2 and above.
1.16.x: 1.16.1 and above.
1.17.x: 1.17.0 and above (i.e. all versions).
Thanks to Théo Cusnir for reporting this vulnerability to us via our bug bounty program.
Severity
9.1 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-732 - Incorrect Permission Assignment for Critical Resource
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://grafana.com/security/security-advisories/… | vendor-advisory |
Impacted products
Date Public
2026-04-15 19:12
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-41118",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-15T19:32:43.403162Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-732",
"description": "CWE-732 Incorrect Permission Assignment for Critical Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-20T19:00:12.783Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Pyroscope",
"vendor": "Grafana",
"versions": [
{
"lessThan": "1.16.0",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
}
],
"datePublic": "2026-04-15T19:12:08.514Z",
"descriptions": [
{
"lang": "en",
"value": "Pyroscope is an open-source continuous profiling database. The database supports various storage backends, including Tencent Cloud Object Storage (COS).\n\nIf the database is configured to use Tencent COS as the storage backend, an attacker could extract the secret_key configuration value from the Pyroscope API.\n\nTo exploit this vulnerability, an attacker needs direct access to the Pyroscope API. We highly recommend limiting the public internet exposure of all our databases, such that they are only accessible by trusted users or internal systems.\n\nThis vulnerability is fixed in versions:\n\n1.15.x: 1.15.2 and above.\n1.16.x: 1.16.1 and above.\n1.17.x: 1.17.0 and above (i.e. all versions).\n\nThanks to Th\u00e9o Cusnir for reporting this vulnerability to us via our bug bounty program."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T16:31:08.897Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2025-41118"
}
],
"source": {
"discovery": "BUG_BOUNTY"
},
"title": "Sensitive COS `SecretKey` exposed in plaintext via configuration API due to missing type protection",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2025-41118",
"datePublished": "2026-04-15T19:15:17.689Z",
"dateReserved": "2025-04-16T09:19:26.443Z",
"dateUpdated": "2026-06-22T16:31:08.897Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-21727 (GCVE-0-2026-21727)
Vulnerability from cvelistv5 – Published: 2026-04-15 18:57 – Updated: 2026-06-22 16:31
VLAI
Title
Grafana Correlations: Cross-Tenant Data Disclosure and Permanent Deletion via Legacy org_id=0 Record
Summary
---
title: Cross-Tenant Legacy Correlation Disclosure and Deletion
draft: false
hero:
image: /static/img/heros/hero-legal2.svg
content: "# Cross-Tenant Legacy Correlation Disclosure and Deletion"
date: 2026-01-29
product: Grafana
severity: Low
cve: CVE-2026-21727
cvss_score: "3.3"
cvss_vector: "CVSS:3.3/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N"
fixed_versions:
- ">=11.6.11 >=12.0.9 >=12.1.6 >=12.2.4"
---
A cross-tenant isolation vulnerability was found in Grafana’s Correlations feature affecting legacy correlation records. Due to a backward compatibility condition allowing org_id = 0 records to be returned across organizations, a user with datasource management privileges could read and permanently delete legacy correlation data belonging to another organization. This issue affects correlations created prior to Grafana 10.2 and is fixed in >=11.6.11, >=12.0.9, >=12.1.6, and >=12.2.4.
Thanks to Gyu-hyeok Lee (g2h) for reporting this vulnerability.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-732 - Incorrect Permission Assignment for Critical Resource
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://grafana.com/security/security-advisories/… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Grafana | Grafana Correlations |
Affected:
10.2.0 , < 12.4.0
(semver)
|
Date Public
2026-04-15 18:52
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-21727",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-15T19:56:51.668906Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-732",
"description": "CWE-732 Incorrect Permission Assignment for Critical Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-20T18:59:38.753Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Grafana Correlations",
"vendor": "Grafana",
"versions": [
{
"lessThan": "12.4.0",
"status": "affected",
"version": "10.2.0",
"versionType": "semver"
}
]
}
],
"datePublic": "2026-04-15T18:52:20.510Z",
"descriptions": [
{
"lang": "en",
"value": "---\ntitle: Cross-Tenant Legacy Correlation Disclosure and Deletion\ndraft: false\nhero:\n image: /static/img/heros/hero-legal2.svg\n content: \"# Cross-Tenant Legacy Correlation Disclosure and Deletion\"\ndate: 2026-01-29\nproduct: Grafana\nseverity: Low\ncve: CVE-2026-21727\ncvss_score: \"3.3\"\ncvss_vector: \"CVSS:3.3/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N\"\nfixed_versions:\n - \"\u003e=11.6.11 \u003e=12.0.9 \u003e=12.1.6 \u003e=12.2.4\"\n---\nA cross-tenant isolation vulnerability was found in Grafana\u2019s Correlations feature affecting legacy correlation records. Due to a backward compatibility condition allowing org_id = 0 records to be returned across organizations, a user with datasource management privileges could read and permanently delete legacy correlation data belonging to another organization. This issue affects correlations created prior to Grafana 10.2 and is fixed in \u003e=11.6.11, \u003e=12.0.9, \u003e=12.1.6, and \u003e=12.2.4.\n\nThanks to Gyu-hyeok Lee (g2h) for reporting this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 3.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T16:31:24.793Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2026-21727"
}
],
"source": {
"discovery": "BUG_BOUNTY"
},
"title": "Grafana Correlations: Cross-Tenant Data Disclosure and Permanent Deletion via Legacy org_id=0 Record",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2026-21727",
"datePublished": "2026-04-15T18:57:25.185Z",
"dateReserved": "2026-01-05T09:26:06.215Z",
"dateUpdated": "2026-06-22T16:31:24.793Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-12141 (GCVE-0-2025-12141)
Vulnerability from cvelistv5 – Published: 2026-04-15 14:59 – Updated: 2026-04-15 18:45
VLAI
Title
Grafana Alerting Editors can edit destination of webhooks they did not create
Summary
In Grafana's alerting system, users with edit permissions for a contact point, specifically the permissions “alert.notifications:write” or “alert.notifications.receivers:test” that are granted as part of the fixed role "Contact Point Writer", which is part of the basic role Editor - can edit contact points created by other users, modify the endpoint URL to a controlled server. By invoking the test functionality, attackers can capture and extract redacted secure settings, such as authentication credentials for third-party services (e.g., Slack tokens). This leads to unauthorized access and potential compromise of external integrations.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-200 - Information Disclosure
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Grafana | Grafana Alerting |
Affected:
8.0.0 , ≤ 12.3.0
(semver)
|
Date Public
2025-12-16 20:56
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-12141",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-15T18:45:45.527327Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-15T18:45:53.672Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Grafana Alerting",
"repo": "https://github.com/grafana/grafana",
"vendor": "Grafana",
"versions": [
{
"lessThanOrEqual": "12.3.0",
"status": "affected",
"version": "8.0.0",
"versionType": "semver"
}
]
}
],
"datePublic": "2025-12-16T20:56:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan\u003eIn Grafana\u0027s alerting system, users with edit permissions for a contact point, specifically the permissions \u201calert.notifications:write\u201d or \u201calert.notifications.receivers:test\u201d that are granted as part of the fixed role \"Contact Point Writer\", which is part of the basic role Editor - can edit contact points created by other users, modify the endpoint URL to a controlled server. By invoking the test functionality, attackers can capture and extract redacted secure settings, such as authentication credentials for third-party services (e.g., Slack tokens). This leads to unauthorized access and potential compromise of external integrations.\u003c/span\u003e"
}
],
"value": "In Grafana\u0027s alerting system, users with edit permissions for a contact point, specifically the permissions \u201calert.notifications:write\u201d or \u201calert.notifications.receivers:test\u201d that are granted as part of the fixed role \"Contact Point Writer\", which is part of the basic role Editor - can edit contact points created by other users, modify the endpoint URL to a controlled server. By invoking the test functionality, attackers can capture and extract redacted secure settings, such as authentication credentials for third-party services (e.g., Slack tokens). This leads to unauthorized access and potential compromise of external integrations."
}
],
"impacts": [
{
"capecId": "CAPEC-122",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-122 Privilege Abuse"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "NOT_DEFINED",
"Safety": "NEGLIGIBLE",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 1.3,
"baseSeverity": "LOW",
"exploitMaturity": "UNREPORTED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/S:N/AU:Y",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Information Disclosure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-15T14:59:41.317Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"url": "https://grafana.com/security/security-advisories/cve-2025-12141/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Grafana Alerting Editors can edit destination of webhooks they did not create",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2025-12141",
"datePublished": "2026-04-15T14:59:41.317Z",
"dateReserved": "2025-10-24T07:07:00.941Z",
"dateUpdated": "2026-04-15T18:45:53.672Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27879 (GCVE-0-2026-27879)
Vulnerability from cvelistv5 – Published: 2026-03-27 14:28 – Updated: 2026-06-22 16:31
VLAI
Title
Query resampling can cause unbounded memory allocations
Summary
A resample query can be used to trigger out-of-memory crashes in Grafana.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://grafana.com/security/security-advisories/… | vendor-advisory |
Impacted products
Date Public
2026-03-27 14:26
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-27879",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-31T15:02:56.347770Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T15:02:59.478Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Grafana",
"vendor": "Grafana",
"versions": [
{
"lessThan": "11.6.14",
"status": "affected",
"version": "8.0.0",
"versionType": "semver"
},
{
"lessThan": "12.1.10",
"status": "affected",
"version": "12.0.0",
"versionType": "semver"
},
{
"lessThan": "12.2.8",
"status": "affected",
"version": "12.2.0",
"versionType": "semver"
},
{
"lessThan": "12.3.6",
"status": "affected",
"version": "12.3.0",
"versionType": "semver"
},
{
"lessThan": "12.4.2",
"status": "affected",
"version": "12.4.0",
"versionType": "semver"
}
]
}
],
"datePublic": "2026-03-27T14:26:32.584Z",
"descriptions": [
{
"lang": "en",
"value": "A resample query can be used to trigger out-of-memory crashes in Grafana."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T16:31:28.973Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2026-27879"
}
],
"source": {
"discovery": "INTERNAL_FINDING"
},
"title": "Query resampling can cause unbounded memory allocations",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2026-27879",
"datePublished": "2026-03-27T14:28:56.133Z",
"dateReserved": "2026-02-24T14:30:17.727Z",
"dateUpdated": "2026-06-22T16:31:28.973Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-28375 (GCVE-0-2026-28375)
Vulnerability from cvelistv5 – Published: 2026-03-27 14:26 – Updated: 2026-06-22 16:31
VLAI
Title
Grafana Testdata datasource can issue unbounded memory allocations
Summary
A testdata data-source can be used to trigger out-of-memory crashes in Grafana.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://grafana.com/security/security-advisories/… | vendor-advisory |
Impacted products
Date Public
2026-03-27 14:23
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-28375",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-31T15:00:57.773116Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T15:01:14.243Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Grafana",
"vendor": "Grafana",
"versions": [
{
"lessThan": "11.6.14",
"status": "affected",
"version": "8.1.0",
"versionType": "semver"
},
{
"lessThan": "12.1.10",
"status": "affected",
"version": "12.0.0",
"versionType": "semver"
},
{
"lessThan": "12.2.8",
"status": "affected",
"version": "12.2.0",
"versionType": "semver"
},
{
"lessThan": "12.3.6",
"status": "affected",
"version": "12.3.0",
"versionType": "semver"
},
{
"lessThan": "12.4.2",
"status": "affected",
"version": "12.4.0",
"versionType": "semver"
}
]
}
],
"datePublic": "2026-03-27T14:23:47.094Z",
"descriptions": [
{
"lang": "en",
"value": "A testdata data-source can be used to trigger out-of-memory crashes in Grafana."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T16:31:27.463Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2026-28375"
}
],
"source": {
"discovery": "INTERNAL_FINDING"
},
"title": "Grafana Testdata datasource can issue unbounded memory allocations",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2026-28375",
"datePublished": "2026-03-27T14:26:19.270Z",
"dateReserved": "2026-02-27T07:16:12.218Z",
"dateUpdated": "2026-06-22T16:31:27.463Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27876 (GCVE-0-2026-27876)
Vulnerability from cvelistv5 – Published: 2026-03-27 14:24 – Updated: 2026-06-22 16:31
VLAI
Title
RCE on Grafana via sqlExpressions
Summary
A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RCE). This is enabled by a feature in Grafana (OSS), so all users are always recommended to update to avoid future attack vectors going this path.
Only instances with the sqlExpressions feature toggle enabled are vulnerable.
Only instances in the following version ranges are affected:
- 11.6.0 (inclusive) to 11.6.14 (exclusive): 11.6.14 has the fix. 11.5 and below are not affected.
- 12.0.0 (inclusive) to 12.1.10 (exclusive): 12.1.10 has the fix. 12.0 did not receive an update, as it is end-of-life.
- 12.2.0 (inclusive) to 12.2.8 (exclusive): 12.2.8 has the fix.
- 12.3.0 (inclusive) to 12.3.6 (exclusive): 12.3.6 has the fix.
- 12.4.0 (inclusive) to 12.4.2 (exclusive): 12.4.2 has the fix. 13.0.0 and above also have the fix: no v13 release is affected.
Severity
9.1 (Critical)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://grafana.com/security/security-advisories/… | vendor-advisory |
Impacted products
Date Public
2026-03-27 14:21
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-27876",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-27T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-28T03:55:48.690Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Grafana",
"vendor": "Grafana",
"versions": [
{
"lessThan": "11.6.14",
"status": "affected",
"version": "11.6.0",
"versionType": "semver"
},
{
"lessThan": "12.1.10",
"status": "affected",
"version": "12.0.0",
"versionType": "semver"
},
{
"lessThan": "12.2.8",
"status": "affected",
"version": "12.2.0",
"versionType": "semver"
},
{
"lessThan": "12.3.6",
"status": "affected",
"version": "12.3.0",
"versionType": "semver"
},
{
"lessThan": "12.4.2",
"status": "affected",
"version": "12.4.0",
"versionType": "semver"
}
]
}
],
"datePublic": "2026-03-27T14:21:53.858Z",
"descriptions": [
{
"lang": "en",
"value": "A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RCE). This is enabled by a feature in Grafana (OSS), so all users are always recommended to update to avoid future attack vectors going this path.\n\nOnly instances with the sqlExpressions feature toggle enabled are vulnerable.\n\nOnly instances in the following version ranges are affected:\n\n- 11.6.0 (inclusive) to 11.6.14 (exclusive): 11.6.14 has the fix. 11.5 and below are not affected.\n- 12.0.0 (inclusive) to 12.1.10 (exclusive): 12.1.10 has the fix. 12.0 did not receive an update, as it is end-of-life.\n- 12.2.0 (inclusive) to 12.2.8 (exclusive): 12.2.8 has the fix.\n- 12.3.0 (inclusive) to 12.3.6 (exclusive): 12.3.6 has the fix.\n- 12.4.0 (inclusive) to 12.4.2 (exclusive): 12.4.2 has the fix. 13.0.0 and above also have the fix: no v13 release is affected."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T16:31:34.172Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2026-27876"
}
],
"source": {
"discovery": "BUG_BOUNTY"
},
"title": "RCE on Grafana via sqlExpressions",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2026-27876",
"datePublished": "2026-03-27T14:24:36.771Z",
"dateReserved": "2026-02-24T14:30:17.726Z",
"dateUpdated": "2026-06-22T16:31:34.172Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27880 (GCVE-0-2026-27880)
Vulnerability from cvelistv5 – Published: 2026-03-27 14:12 – Updated: 2026-06-22 16:31
VLAI
Title
OpenFeature evaluation API reads input data with no bounds
Summary
The OpenFeature feature toggle evaluation endpoint reads unbounded values into memory, which can cause out-of-memory crashes.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-125 - Out-of-bounds Read
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://grafana.com/security/security-advisories/… | vendor-advisory |
Impacted products
Date Public
2026-03-27 14:08
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-27880",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-27T14:43:21.670196Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-10T13:56:28.749Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"broken-link"
],
"url": "https://grafana.com/security/security-advisories/cve-2026-27880"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Grafana",
"vendor": "Grafana",
"versions": [
{
"lessThan": "v12.1.10",
"status": "affected",
"version": "v12.1.0",
"versionType": "semver"
},
{
"lessThan": "v12.2.8",
"status": "affected",
"version": "v12.2.0",
"versionType": "semver"
},
{
"lessThan": "v12.3.6",
"status": "affected",
"version": "v12.3.0",
"versionType": "semver"
},
{
"lessThan": "v12.4.2",
"status": "affected",
"version": "v12.4.0",
"versionType": "semver"
}
]
}
],
"datePublic": "2026-03-27T14:08:45.874Z",
"descriptions": [
{
"lang": "en",
"value": "The OpenFeature feature toggle evaluation endpoint reads unbounded values into memory, which can cause out-of-memory crashes."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T16:31:35.046Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2026-27880"
}
],
"source": {
"discovery": "INTERNAL_FINDING"
},
"title": "OpenFeature evaluation API reads input data with no bounds",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2026-27880",
"datePublished": "2026-03-27T14:12:20.075Z",
"dateReserved": "2026-02-24T14:30:17.727Z",
"dateUpdated": "2026-06-22T16:31:35.046Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27877 (GCVE-0-2026-27877)
Vulnerability from cvelistv5 – Published: 2026-03-27 14:02 – Updated: 2026-06-22 16:31
VLAI
Title
Public dashboards discloses all direct mode datasources
Summary
When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards.
No passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as possible to improve your deployments' security.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-312 - Cleartext Storage of Sensitive Information
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://grafana.com/security/security-advisories/… | vendor-advisory |
Impacted products
Date Public
2026-03-27 13:59
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-27877",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-27T14:56:26.128138Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-312",
"description": "CWE-312 Cleartext Storage of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-10T13:55:59.537Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"broken-link"
],
"url": "https://grafana.com/security/security-advisories/cve-2026-27877"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Grafana",
"vendor": "Grafana",
"versions": [
{
"lessThan": "11.6.14",
"status": "affected",
"version": "9.3.0",
"versionType": "semver"
},
{
"lessThan": "12.1.10",
"status": "affected",
"version": "12.0.0",
"versionType": "semver"
},
{
"lessThan": "12.2.8",
"status": "affected",
"version": "12.2.0",
"versionType": "semver"
},
{
"lessThan": "12.3.6",
"status": "affected",
"version": "12.3.0",
"versionType": "semver"
},
{
"lessThan": "12.4.2",
"status": "affected",
"version": "12.4.0",
"versionType": "semver"
}
]
}
],
"datePublic": "2026-03-27T13:59:46.831Z",
"descriptions": [
{
"lang": "en",
"value": "When using public dashboards and direct data-sources, all direct data-sources\u0027 passwords are exposed despite not being used in dashboards.\n\nNo passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as possible to improve your deployments\u0027 security."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T16:31:19.544Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2026-27877"
}
],
"source": {
"discovery": "BUG_BOUNTY"
},
"title": "Public dashboards discloses all direct mode datasources",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2026-27877",
"datePublished": "2026-03-27T14:02:11.889Z",
"dateReserved": "2026-02-24T14:30:17.726Z",
"dateUpdated": "2026-06-22T16:31:19.544Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-28377 (GCVE-0-2026-28377)
Vulnerability from cvelistv5 – Published: 2026-03-26 21:39 – Updated: 2026-06-22 16:31
VLAI
Title
S3 SSE-C Encryption Key Exposed in Plaintext via Config Endpoint (CVE-2025-41118 Pattern)
Summary
A vulnerability in Grafana Tempo exposes the S3 SSE-C encryption key in plaintext through the /status/config endpoint, potentially allowing unauthorized users to obtain the key used to encrypt trace data stored in S3.
Thanks to william_goodfellow for reporting this vulnerability.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-326 - Inadequate Encryption Strength
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://grafana.com/security/security-advisories/… | vendor-advisory |
Date Public
2026-03-26 21:34
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-28377",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-27T13:29:52.402572Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-326",
"description": "CWE-326 Inadequate Encryption Strength",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T13:54:56.438Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Tempo",
"vendor": "Grafana",
"versions": [
{
"status": "affected",
"version": "2.10.3",
"versionType": "semver"
}
]
}
],
"datePublic": "2026-03-26T21:34:51.017Z",
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in Grafana Tempo exposes the S3 SSE-C encryption key in plaintext through the /status/config endpoint, potentially allowing unauthorized users to obtain the key used to encrypt trace data stored in S3.\n\nThanks to william_goodfellow for reporting this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T16:31:23.962Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2026-28377"
}
],
"source": {
"discovery": "BUG_BOUNTY"
},
"title": "S3 SSE-C Encryption Key Exposed in Plaintext via Config Endpoint (CVE-2025-41118 Pattern)",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2026-28377",
"datePublished": "2026-03-26T21:39:46.928Z",
"dateReserved": "2026-02-27T07:16:12.218Z",
"dateUpdated": "2026-06-22T16:31:23.962Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-21724 (GCVE-0-2026-21724)
Vulnerability from cvelistv5 – Published: 2026-03-26 20:06 – Updated: 2026-06-22 16:31
VLAI
Title
Missing Protected-field Authorization in Provisioning Contact Points API
Summary
A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the required alert.notifications.receivers.protected:write permission.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-285 - Improper Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://grafana.com/security/security-advisories/… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Grafana | Grafana OSS |
Affected:
12.3.1 , < 12.3.6
(semver)
Affected: 12.2.2 , < 12.2.8 (semver) Affected: 12.1.5 , < 12.1.10 (semver) Affected: 11.6.9 , < 11.6.14 (semver) |
Date Public
2026-03-25 22:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-21724",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-27T13:42:43.732342Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285 Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T13:56:12.761Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Grafana OSS",
"vendor": "Grafana",
"versions": [
{
"lessThan": "12.3.6",
"status": "affected",
"version": "12.3.1",
"versionType": "semver"
},
{
"lessThan": "12.2.8",
"status": "affected",
"version": "12.2.2",
"versionType": "semver"
},
{
"lessThan": "12.1.10",
"status": "affected",
"version": "12.1.5",
"versionType": "semver"
},
{
"lessThan": "11.6.14",
"status": "affected",
"version": "11.6.9",
"versionType": "semver"
}
]
}
],
"datePublic": "2026-03-25T22:00:37.352Z",
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the required alert.notifications.receivers.protected:write permission."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T16:31:31.580Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2026-21724"
}
],
"source": {
"discovery": "BUG_BOUNTY"
},
"title": "Missing Protected-field Authorization in Provisioning Contact Points API",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2026-21724",
"datePublished": "2026-03-26T20:06:18.829Z",
"dateReserved": "2026-01-05T09:26:06.214Z",
"dateUpdated": "2026-06-22T16:31:31.580Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33375 (GCVE-0-2026-33375)
Vulnerability from cvelistv5 – Published: 2026-03-26 20:05 – Updated: 2026-06-22 16:31
VLAI
Title
Grafana MSSQL Data Source Plugin: Restriction Bypass Leading to OOM DoS
Summary
The Grafana MSSQL data source plugin contains a logic flaw that allows a low-privileged user (Viewer) to bypass API restrictions and trigger a catastrophic Out-Of-Memory (OOM) memory exhaustion, crashing the host container.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://grafana.com/security/security-advisories/… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Grafana | Grafana OSS |
Affected:
11.6.0 , < 11.6.14+security-01
(semver)
Affected: 12.1.0 , < 12.1.10+security-01 (semver) Affected: 12.2.0 , < 12.2.8+security-01 (semver) Affected: 12.3.0 , < 12.3.6+security-01 (semver) Affected: 12.4.0 , < 12.4.2 (semver) |
Date Public
2026-03-26 12:52
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33375",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-27T14:39:23.654250Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T14:40:37.122Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Grafana OSS",
"vendor": "Grafana",
"versions": [
{
"lessThan": "11.6.14+security-01",
"status": "affected",
"version": "11.6.0",
"versionType": "semver"
},
{
"lessThan": "12.1.10+security-01",
"status": "affected",
"version": "12.1.0",
"versionType": "semver"
},
{
"lessThan": "12.2.8+security-01",
"status": "affected",
"version": "12.2.0",
"versionType": "semver"
},
{
"lessThan": "12.3.6+security-01",
"status": "affected",
"version": "12.3.0",
"versionType": "semver"
},
{
"lessThan": "12.4.2",
"status": "affected",
"version": "12.4.0",
"versionType": "semver"
}
]
}
],
"datePublic": "2026-03-26T12:52:32.117Z",
"descriptions": [
{
"lang": "en",
"value": "The Grafana MSSQL data source plugin contains a logic flaw that allows a low-privileged user (Viewer) to bypass API restrictions and trigger a catastrophic Out-Of-Memory (OOM) memory exhaustion, crashing the host container."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T16:31:22.181Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2026-33375"
}
],
"source": {
"discovery": "BUG_BOUNTY"
},
"title": "Grafana MSSQL Data Source Plugin: Restriction Bypass Leading to OOM DoS",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2026-33375",
"datePublished": "2026-03-26T20:05:52.564Z",
"dateReserved": "2026-03-19T07:55:06.977Z",
"dateUpdated": "2026-06-22T16:31:22.181Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}