Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2026-28383 (GCVE-0-2026-28383)
Vulnerability from cvelistv5 – Published: 2026-05-13 19:28 – Updated: 2026-06-17 11:59
VLAI
EPSS
Title
Grafana plugin resources can lead to unbounded memory allocation
Summary
A request to the Grafana plugin resources endpoint can cause unbounded memory allocation by reading the entire request body into memory. An authenticated user can exploit this to trigger an out-of-memory condition, potentially causing a denial of service.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://grafana.com/security/security-advisories/… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Grafana | Grafana OSS |
Affected:
6.7.0 , ≤ 11.6.14
(semver)
Affected: 11.6.14 , < 11.6.14+security-04 (custom) Affected: 12.0.0 , ≤ 12.2.8 (semver) Affected: 12.2.8 , < 12.2.8+security-04 (custom) Affected: 12.3.0 , ≤ 12.3.6 (semver) Affected: 12.3.6 , < 12.3.6+security-04 (custom) Affected: 12.4.0 , ≤ 12.4.3 (semver) Affected: 12.4.3 , < 12.4.3+security-02 (custom) Affected: 13.0.0 , ≤ 13.0.1 (semver) Affected: 13.0.1 , < 13.0.1+security-01 (custom) |
Date Public
2026-05-13 07:44
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-28383",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T12:35:48.301448Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T12:36:22.328Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Grafana OSS",
"vendor": "Grafana",
"versions": [
{
"lessThanOrEqual": "11.6.14",
"status": "affected",
"version": "6.7.0",
"versionType": "semver"
},
{
"lessThan": "11.6.14+security-04",
"status": "affected",
"version": "11.6.14",
"versionType": "custom"
},
{
"lessThanOrEqual": "12.2.8",
"status": "affected",
"version": "12.0.0",
"versionType": "semver"
},
{
"lessThan": "12.2.8+security-04",
"status": "affected",
"version": "12.2.8",
"versionType": "custom"
},
{
"lessThanOrEqual": "12.3.6",
"status": "affected",
"version": "12.3.0",
"versionType": "semver"
},
{
"lessThan": "12.3.6+security-04",
"status": "affected",
"version": "12.3.6",
"versionType": "custom"
},
{
"lessThanOrEqual": "12.4.3",
"status": "affected",
"version": "12.4.0",
"versionType": "semver"
},
{
"lessThan": "12.4.3+security-02",
"status": "affected",
"version": "12.4.3",
"versionType": "custom"
},
{
"lessThanOrEqual": "13.0.1",
"status": "affected",
"version": "13.0.0",
"versionType": "semver"
},
{
"lessThan": "13.0.1+security-01",
"status": "affected",
"version": "13.0.1",
"versionType": "custom"
}
]
}
],
"datePublic": "2026-05-13T07:44:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A request to the Grafana plugin resources endpoint can cause unbounded memory allocation by reading the entire request body into memory. An authenticated user can exploit this to trigger an out-of-memory condition, potentially causing a denial of service."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T11:59:08.547Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2026-28383"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Grafana plugin resources can lead to unbounded memory allocation",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2026-28383",
"datePublished": "2026-05-13T19:28:36.952Z",
"dateReserved": "2026-02-27T07:16:12.219Z",
"dateUpdated": "2026-06-17T11:59:08.547Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-28383",
"date": "2026-06-17",
"epss": "0.00328",
"percentile": "0.24441"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-28383\",\"sourceIdentifier\":\"security@grafana.com\",\"published\":\"2026-05-13T20:16:20.130\",\"lastModified\":\"2026-06-02T19:28:54.580\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A request to the Grafana plugin resources endpoint can cause unbounded memory allocation by reading the entire request body into memory. An authenticated user can exploit this to trigger an out-of-memory condition, potentially causing a denial of service.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@grafana.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-770\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.5.0\",\"versionEndExcluding\":\"11.6.14\",\"matchCriteriaId\":\"3EB52192-B43E-44FD-A838-245DD579DF4E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"12.2.0\",\"versionEndExcluding\":\"12.2.8\",\"matchCriteriaId\":\"37747AB2-8B5F-4BD3-860E-0C092A9F78F0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"12.3.0\",\"versionEndExcluding\":\"12.3.6\",\"matchCriteriaId\":\"870FE01F-86F1-4734-9CC3-6FC9AF3012C5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"12.4.0\",\"versionEndExcluding\":\"12.4.3\",\"matchCriteriaId\":\"4451FBC6-6277-4DD8-B143-0DAE82175D9A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:grafana:grafana:11.6.14:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"548C63DC-4E7F-4D9E-B2F0-AB24A66E0F7F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:grafana:grafana:11.6.14:security01:*:*:*:*:*:*\",\"matchCriteriaId\":\"5F103470-1371-498E-9442-11EA7C2E3A6B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:grafana:grafana:12.2.8:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"4ACC0DB6-8BC4-4975-AD26-D41F69571EF6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:grafana:grafana:12.2.8:security01:*:*:*:*:*:*\",\"matchCriteriaId\":\"9EBE773D-17BB-4402-B0B8-74D3DD79B32C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:grafana:grafana:12.3.6:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"6A58801D-1713-4A52-8713-9DD31F75698D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:grafana:grafana:12.3.6:security01:*:*:*:*:*:*\",\"matchCriteriaId\":\"5C930B25-FD06-477C-B226-DEB486A46DAA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:grafana:grafana:12.4.3:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"172F03B1-E693-4EF3-90A0-D40773E4ACB4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:grafana:grafana:13.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0F0B8E4F-ADE7-4594-9241-966B1F0BC440\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:grafana:grafana:13.0.1:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"2AD87DC5-DF20-4993-A11B-91EBB313A40A\"}]}]}],\"references\":[{\"url\":\"https://grafana.com/security/security-advisories/cve-2026-28383\",\"source\":\"security@grafana.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-28383\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-14T12:35:48.301448Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-770\", \"description\": \"CWE-770 Allocation of Resources Without Limits or Throttling\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-14T12:36:08.072Z\"}}], \"cna\": {\"title\": \"Grafana plugin resources can lead to unbounded memory allocation\", \"source\": {\"discovery\": \"INTERNAL\"}, \"metrics\": [{\"cvssV3_1\": {\"version\": \"3.1\", \"baseScore\": 6.5, \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\"}}], \"affected\": [{\"vendor\": \"Grafana\", \"product\": \"Grafana OSS\", \"versions\": [{\"status\": \"affected\", \"version\": \"6.7.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"11.6.14\"}, {\"status\": \"affected\", \"version\": \"11.6.14\", \"lessThan\": \"11.6.14+security-04\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"12.0.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"12.2.8\"}, {\"status\": \"affected\", \"version\": \"12.2.8\", \"lessThan\": \"12.2.8+security-04\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"12.3.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"12.3.6\"}, {\"status\": \"affected\", \"version\": \"12.3.6\", \"lessThan\": \"12.3.6+security-04\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"12.4.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"12.4.3\"}, {\"status\": \"affected\", \"version\": \"12.4.3\", \"lessThan\": \"12.4.3+security-02\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"13.0.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"13.0.1\"}, {\"status\": \"affected\", \"version\": \"13.0.1\", \"lessThan\": \"13.0.1+security-01\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}], \"datePublic\": \"2026-05-13T07:44:00.000Z\", \"references\": [{\"url\": \"https://grafana.com/security/security-advisories/cve-2026-28383\", \"tags\": [\"vendor-advisory\"]}], \"x_generator\": {\"engine\": \"cvelib 1.8.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"A request to the Grafana plugin resources endpoint can cause unbounded memory allocation by reading the entire request body into memory. An authenticated user can exploit this to trigger an out-of-memory condition, potentially causing a denial of service.\"}], \"providerMetadata\": {\"orgId\": \"57da9224-a3e2-4646-9d0e-c4dc2e05e7da\", \"shortName\": \"GRAFANA\", \"dateUpdated\": \"2026-06-17T11:59:08.547Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-28383\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-17T11:59:08.547Z\", \"dateReserved\": \"2026-02-27T07:16:12.219Z\", \"assignerOrgId\": \"57da9224-a3e2-4646-9d0e-c4dc2e05e7da\", \"datePublished\": \"2026-05-13T19:28:36.952Z\", \"assignerShortName\": \"GRAFANA\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
bit-grafana-2026-28383
Vulnerability from bitnami_vulndb
Published
2026-05-15 08:42
Modified
2026-05-15 09:12
Summary
Grafana plugin resources can lead to unbounded memory allocation
Details
A request to the Grafana plugin resources endpoint can cause unbounded memory allocation by reading the entire request body into memory. An authenticated user can exploit this to trigger an out-of-memory condition, potentially causing a denial of service.
{
"affected": [
{
"package": {
"ecosystem": "Bitnami",
"name": "grafana",
"purl": "pkg:bitnami/grafana"
},
"ranges": [
{
"events": [
{
"introduced": "6.7.0"
},
{
"fixed": "11.6.14"
},
{
"introduced": "12.0.0"
},
{
"fixed": "12.2.8"
},
{
"introduced": "12.3.0"
},
{
"fixed": "12.3.6"
},
{
"introduced": "12.4.0"
},
{
"fixed": "12.4.3"
},
{
"introduced": "13.0.0"
},
{
"fixed": "13.0.1"
}
],
"type": "SEMVER"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
],
"aliases": [
"CVE-2026-28383"
],
"database_specific": {
"cpes": [
"cpe:2.3:a:grafana:grafana:*:*:*:*:*:go:*:*"
],
"severity": "Medium"
},
"details": "A request to the Grafana plugin resources endpoint can cause unbounded memory allocation by reading the entire request body into memory. An authenticated user can exploit this to trigger an out-of-memory condition, potentially causing a denial of service.",
"id": "BIT-grafana-2026-28383",
"modified": "2026-05-15T09:12:54.074Z",
"published": "2026-05-15T08:42:40.608Z",
"references": [
{
"type": "WEB",
"url": "https://grafana.com/security/security-advisories/cve-2026-28383"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28383"
}
],
"schema_version": "1.6.2",
"summary": "Grafana plugin resources can lead to unbounded memory allocation"
}
FKIE_CVE-2026-28383
Vulnerability from fkie_nvd - Published: 2026-05-13 20:16 - Updated: 2026-06-02 19:28
Severity
Summary
A request to the Grafana plugin resources endpoint can cause unbounded memory allocation by reading the entire request body into memory. An authenticated user can exploit this to trigger an out-of-memory condition, potentially causing a denial of service.
References
| URL | Tags | ||
|---|---|---|---|
| security@grafana.com | https://grafana.com/security/security-advisories/cve-2026-28383 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| grafana | grafana | * | |
| grafana | grafana | * | |
| grafana | grafana | * | |
| grafana | grafana | * | |
| grafana | grafana | 11.6.14 | |
| grafana | grafana | 11.6.14 | |
| grafana | grafana | 12.2.8 | |
| grafana | grafana | 12.2.8 | |
| grafana | grafana | 12.3.6 | |
| grafana | grafana | 12.3.6 | |
| grafana | grafana | 12.4.3 | |
| grafana | grafana | 13.0.0 | |
| grafana | grafana | 13.0.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3EB52192-B43E-44FD-A838-245DD579DF4E",
"versionEndExcluding": "11.6.14",
"versionStartIncluding": "8.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*",
"matchCriteriaId": "37747AB2-8B5F-4BD3-860E-0C092A9F78F0",
"versionEndExcluding": "12.2.8",
"versionStartIncluding": "12.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*",
"matchCriteriaId": "870FE01F-86F1-4734-9CC3-6FC9AF3012C5",
"versionEndExcluding": "12.3.6",
"versionStartIncluding": "12.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4451FBC6-6277-4DD8-B143-0DAE82175D9A",
"versionEndExcluding": "12.4.3",
"versionStartIncluding": "12.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:grafana:grafana:11.6.14:-:*:*:*:*:*:*",
"matchCriteriaId": "548C63DC-4E7F-4D9E-B2F0-AB24A66E0F7F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:grafana:grafana:11.6.14:security01:*:*:*:*:*:*",
"matchCriteriaId": "5F103470-1371-498E-9442-11EA7C2E3A6B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:grafana:grafana:12.2.8:-:*:*:*:*:*:*",
"matchCriteriaId": "4ACC0DB6-8BC4-4975-AD26-D41F69571EF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:grafana:grafana:12.2.8:security01:*:*:*:*:*:*",
"matchCriteriaId": "9EBE773D-17BB-4402-B0B8-74D3DD79B32C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:grafana:grafana:12.3.6:-:*:*:*:*:*:*",
"matchCriteriaId": "6A58801D-1713-4A52-8713-9DD31F75698D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:grafana:grafana:12.3.6:security01:*:*:*:*:*:*",
"matchCriteriaId": "5C930B25-FD06-477C-B226-DEB486A46DAA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:grafana:grafana:12.4.3:-:*:*:*:*:*:*",
"matchCriteriaId": "172F03B1-E693-4EF3-90A0-D40773E4ACB4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:grafana:grafana:13.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0F0B8E4F-ADE7-4594-9241-966B1F0BC440",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:grafana:grafana:13.0.1:-:*:*:*:*:*:*",
"matchCriteriaId": "2AD87DC5-DF20-4993-A11B-91EBB313A40A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A request to the Grafana plugin resources endpoint can cause unbounded memory allocation by reading the entire request body into memory. An authenticated user can exploit this to trigger an out-of-memory condition, potentially causing a denial of service."
}
],
"id": "CVE-2026-28383",
"lastModified": "2026-06-02T19:28:54.580",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "security@grafana.com",
"type": "Secondary"
}
]
},
"published": "2026-05-13T20:16:20.130",
"references": [
{
"source": "security@grafana.com",
"tags": [
"Vendor Advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2026-28383"
}
],
"sourceIdentifier": "security@grafana.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-770"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
GHSA-9MFC-92XM-C5MF
Vulnerability from github – Published: 2026-05-13 21:32 – Updated: 2026-05-13 21:32
VLAI
Details
A request to the Grafana plugin resources endpoint can cause unbounded memory allocation by reading the entire request body into memory. An authenticated user can exploit this to trigger an out-of-memory condition, potentially causing a denial of service.
Severity
6.5 (Medium)
{
"affected": [],
"aliases": [
"CVE-2026-28383"
],
"database_specific": {
"cwe_ids": [
"CWE-770"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-13T20:16:20Z",
"severity": "MODERATE"
},
"details": "A request to the Grafana plugin resources endpoint can cause unbounded memory allocation by reading the entire request body into memory. An authenticated user can exploit this to trigger an out-of-memory condition, potentially causing a denial of service.",
"id": "GHSA-9mfc-92xm-c5mf",
"modified": "2026-05-13T21:32:06Z",
"published": "2026-05-13T21:32:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28383"
},
{
"type": "WEB",
"url": "https://grafana.com/security/security-advisories/cve-2026-28383"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
OPENSUSE-SU-2026:10932-1
Vulnerability from csaf_opensuse - Published: 2026-06-02 00:00 - Updated: 2026-06-02 00:00Summary
grafana-11.6.14+security04-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: grafana-11.6.14+security04-1.1 on GA media
Description of the patch: These are all security issues fixed in the grafana-11.6.14+security04-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2026-10932
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
4.3 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
6.5 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
6.5 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
6.5 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
6.5 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
7.4 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.1 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
6.5 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
7.7 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
5.9 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
32 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "grafana-11.6.14+security04-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the grafana-11.6.14+security04-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2026-10932",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_10932-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-28374 page",
"url": "https://www.suse.com/security/cve/CVE-2026-28374/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-28376 page",
"url": "https://www.suse.com/security/cve/CVE-2026-28376/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-28379 page",
"url": "https://www.suse.com/security/cve/CVE-2026-28379/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-28380 page",
"url": "https://www.suse.com/security/cve/CVE-2026-28380/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-28383 page",
"url": "https://www.suse.com/security/cve/CVE-2026-28383/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-33376 page",
"url": "https://www.suse.com/security/cve/CVE-2026-33376/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-33377 page",
"url": "https://www.suse.com/security/cve/CVE-2026-33377/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-33378 page",
"url": "https://www.suse.com/security/cve/CVE-2026-33378/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-33380 page",
"url": "https://www.suse.com/security/cve/CVE-2026-33380/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-33381 page",
"url": "https://www.suse.com/security/cve/CVE-2026-33381/"
}
],
"title": "grafana-11.6.14+security04-1.1 on GA media",
"tracking": {
"current_release_date": "2026-06-02T00:00:00Z",
"generator": {
"date": "2026-06-02T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2026:10932-1",
"initial_release_date": "2026-06-02T00:00:00Z",
"revision_history": [
{
"date": "2026-06-02T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "grafana-11.6.14+security04-1.1.aarch64",
"product": {
"name": "grafana-11.6.14+security04-1.1.aarch64",
"product_id": "grafana-11.6.14+security04-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-11.6.14+security04-1.1.ppc64le",
"product": {
"name": "grafana-11.6.14+security04-1.1.ppc64le",
"product_id": "grafana-11.6.14+security04-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-11.6.14+security04-1.1.s390x",
"product": {
"name": "grafana-11.6.14+security04-1.1.s390x",
"product_id": "grafana-11.6.14+security04-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-11.6.14+security04-1.1.x86_64",
"product": {
"name": "grafana-11.6.14+security04-1.1.x86_64",
"product_id": "grafana-11.6.14+security04-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-11.6.14+security04-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.aarch64"
},
"product_reference": "grafana-11.6.14+security04-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-11.6.14+security04-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.ppc64le"
},
"product_reference": "grafana-11.6.14+security04-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-11.6.14+security04-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.s390x"
},
"product_reference": "grafana-11.6.14+security04-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-11.6.14+security04-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.x86_64"
},
"product_reference": "grafana-11.6.14+security04-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-28374",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-28374"
}
],
"notes": [
{
"category": "general",
"text": "Editors could delete any annotation, even those they do not have read access to. The editor user cannot create or read the annotations.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.aarch64",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.s390x",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-28374",
"url": "https://www.suse.com/security/cve/CVE-2026-28374"
},
{
"category": "external",
"summary": "SUSE Bug 1265290 for CVE-2026-28374",
"url": "https://bugzilla.suse.com/1265290"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.aarch64",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.s390x",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.aarch64",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.s390x",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-02T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-28374"
},
{
"cve": "CVE-2026-28376",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-28376"
}
],
"notes": [
{
"category": "general",
"text": "The Grafana Live push endpoint can be exploited to cause unbounded memory allocation by sending a large or streaming request body, potentially leading to out-of-memory conditions. An authenticated user with access to the Grafana Live API can trigger this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.aarch64",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.s390x",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-28376",
"url": "https://www.suse.com/security/cve/CVE-2026-28376"
},
{
"category": "external",
"summary": "SUSE Bug 1265289 for CVE-2026-28376",
"url": "https://bugzilla.suse.com/1265289"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.aarch64",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.s390x",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.aarch64",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.s390x",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-02T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-28376"
},
{
"cve": "CVE-2026-28379",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-28379"
}
],
"notes": [
{
"category": "general",
"text": "A race condition in Grafana Live allows authenticated users with Viewer role to trigger a server crash by sending concurrent requests that cause a fatal map access error. This results in complete service unavailability requiring restart of the Grafana server.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.aarch64",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.s390x",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-28379",
"url": "https://www.suse.com/security/cve/CVE-2026-28379"
},
{
"category": "external",
"summary": "SUSE Bug 1265288 for CVE-2026-28379",
"url": "https://bugzilla.suse.com/1265288"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.aarch64",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.s390x",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.aarch64",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.s390x",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-02T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-28379"
},
{
"cve": "CVE-2026-28380",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-28380"
}
],
"notes": [
{
"category": "general",
"text": "Any Editor could delete any snapshot, even if they have no access to read or write them.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.aarch64",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.s390x",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-28380",
"url": "https://www.suse.com/security/cve/CVE-2026-28380"
},
{
"category": "external",
"summary": "SUSE Bug 1265287 for CVE-2026-28380",
"url": "https://bugzilla.suse.com/1265287"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.aarch64",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.s390x",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.aarch64",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.s390x",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-02T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-28380"
},
{
"cve": "CVE-2026-28383",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-28383"
}
],
"notes": [
{
"category": "general",
"text": "A request to the Grafana plugin resources endpoint can cause unbounded memory allocation by reading the entire request body into memory. An authenticated user can exploit this to trigger an out-of-memory condition, potentially causing a denial of service.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.aarch64",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.s390x",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-28383",
"url": "https://www.suse.com/security/cve/CVE-2026-28383"
},
{
"category": "external",
"summary": "SUSE Bug 1265286 for CVE-2026-28383",
"url": "https://bugzilla.suse.com/1265286"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.aarch64",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.s390x",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.aarch64",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.s390x",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-02T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-28383"
},
{
"cve": "CVE-2026-33376",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-33376"
}
],
"notes": [
{
"category": "general",
"text": "When using an IPv6 allow-list for the Auth Proxy feature, it defaults to /32 addresses. Addresses specifying a mask explicitly are not affected; to mitigate easily, add the desired mask (usually /128) to the addresses. Only auth proxy is affected; Okta, SAML, LDAP, etc are unaffected here.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.aarch64",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.s390x",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-33376",
"url": "https://www.suse.com/security/cve/CVE-2026-33376"
},
{
"category": "external",
"summary": "SUSE Bug 1265285 for CVE-2026-33376",
"url": "https://bugzilla.suse.com/1265285"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.aarch64",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.s390x",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.4,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.aarch64",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.s390x",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-02T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-33376"
},
{
"cve": "CVE-2026-33377",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-33377"
}
],
"notes": [
{
"category": "general",
"text": "An Editor can overwrite a dashboard not owned by them to acquire admin on that specific dashboard. The user must have write access to the dashboard to escalate privilege.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.aarch64",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.s390x",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-33377",
"url": "https://www.suse.com/security/cve/CVE-2026-33377"
},
{
"category": "external",
"summary": "SUSE Bug 1265284 for CVE-2026-33377",
"url": "https://bugzilla.suse.com/1265284"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.aarch64",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.s390x",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.aarch64",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.s390x",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-02T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-33377"
},
{
"cve": "CVE-2026-33378",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-33378"
}
],
"notes": [
{
"category": "general",
"text": "Using the $__timeGroup macro, one can achieve an OOM by overloading the server. This requires a SQL datasource. If the server is set up to auto-restart, the impact is minimal or non-existent, as the attack can take upwards of half an hour to crash the server.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.aarch64",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.s390x",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-33378",
"url": "https://www.suse.com/security/cve/CVE-2026-33378"
},
{
"category": "external",
"summary": "SUSE Bug 1265283 for CVE-2026-33378",
"url": "https://bugzilla.suse.com/1265283"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.aarch64",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.s390x",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.aarch64",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.s390x",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-02T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-33378"
},
{
"cve": "CVE-2026-33380",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-33380"
}
],
"notes": [
{
"category": "general",
"text": "A vulnerability in SQL Expressions allows an authenticated attacker to read arbitrary files from the Grafana server\u0027s filesystem. Only instances with the sqlExpressions feature toggle enabled are vulnerable.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.aarch64",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.s390x",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-33380",
"url": "https://www.suse.com/security/cve/CVE-2026-33380"
},
{
"category": "external",
"summary": "SUSE Bug 1265282 for CVE-2026-33380",
"url": "https://bugzilla.suse.com/1265282"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.aarch64",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.s390x",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.aarch64",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.s390x",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-02T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-33380"
},
{
"cve": "CVE-2026-33381",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-33381"
}
],
"notes": [
{
"category": "general",
"text": "When a user\u0027s access to mint tokens for a service account is revoked, it is sometimes still possible to do so for a few seconds after the event. The user will eventually lose access to do this.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.aarch64",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.s390x",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-33381",
"url": "https://www.suse.com/security/cve/CVE-2026-33381"
},
{
"category": "external",
"summary": "SUSE Bug 1265281 for CVE-2026-33381",
"url": "https://bugzilla.suse.com/1265281"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.aarch64",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.s390x",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.aarch64",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.s390x",
"openSUSE Tumbleweed:grafana-11.6.14+security04-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-02T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-33381"
}
]
}
WID-SEC-W-2026-1546
Vulnerability from csaf_certbund - Published: 2026-05-14 22:00 - Updated: 2026-06-07 22:00Summary
Grafana: Mehrere Schwachstellen
Severity
Mittel
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung: Grafana ist eine Analyse- und Visualisierungssoftware.
Angriff: Ein Angreifer kann mehrere Schwachstellen in Grafana ausnutzen, um erweiterte Privilegien zu erlangen, Sicherheitsmaßnahmen zu umgehen, Daten zu manipulieren oder offenzulegen oder einen Denial-of-Service-Zustand zu verursachen.
Betroffene Betriebssysteme: - Linux
- UNIX
- Windows
Affected products
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SUSE openSUSE
SUSE
|
cpe:/o:suse:opensuse:-
|
— | |
|
Grafana Grafana <13.0.1+security-01
Grafana / Grafana
|
<13.0.1+security-01 | ||
|
Grafana Grafana <12.4.3+security-02
Grafana / Grafana
|
<12.4.3+security-02 | ||
|
Grafana Grafana <12.3.6+security-04
Grafana / Grafana
|
<12.3.6+security-04 | ||
|
Grafana Grafana <12.2.8+security-04
Grafana / Grafana
|
<12.2.8+security-04 | ||
|
Grafana Grafana <11.6.14+security-04
Grafana / Grafana
|
<11.6.14+security-04 |
Affected products
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SUSE openSUSE
SUSE
|
cpe:/o:suse:opensuse:-
|
— | |
|
Grafana Grafana <13.0.1+security-01
Grafana / Grafana
|
<13.0.1+security-01 | ||
|
Grafana Grafana <12.4.3+security-02
Grafana / Grafana
|
<12.4.3+security-02 | ||
|
Grafana Grafana <12.3.6+security-04
Grafana / Grafana
|
<12.3.6+security-04 | ||
|
Grafana Grafana <12.2.8+security-04
Grafana / Grafana
|
<12.2.8+security-04 | ||
|
Grafana Grafana <11.6.14+security-04
Grafana / Grafana
|
<11.6.14+security-04 |
Affected products
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SUSE openSUSE
SUSE
|
cpe:/o:suse:opensuse:-
|
— | |
|
Grafana Grafana <13.0.1+security-01
Grafana / Grafana
|
<13.0.1+security-01 | ||
|
Grafana Grafana <12.4.3+security-02
Grafana / Grafana
|
<12.4.3+security-02 | ||
|
Grafana Grafana <12.3.6+security-04
Grafana / Grafana
|
<12.3.6+security-04 | ||
|
Grafana Grafana <12.2.8+security-04
Grafana / Grafana
|
<12.2.8+security-04 | ||
|
Grafana Grafana <11.6.14+security-04
Grafana / Grafana
|
<11.6.14+security-04 |
Affected products
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SUSE openSUSE
SUSE
|
cpe:/o:suse:opensuse:-
|
— | |
|
Grafana Grafana <13.0.1+security-01
Grafana / Grafana
|
<13.0.1+security-01 | ||
|
Grafana Grafana <12.4.3+security-02
Grafana / Grafana
|
<12.4.3+security-02 | ||
|
Grafana Grafana <12.3.6+security-04
Grafana / Grafana
|
<12.3.6+security-04 | ||
|
Grafana Grafana <12.2.8+security-04
Grafana / Grafana
|
<12.2.8+security-04 | ||
|
Grafana Grafana <11.6.14+security-04
Grafana / Grafana
|
<11.6.14+security-04 |
Affected products
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SUSE openSUSE
SUSE
|
cpe:/o:suse:opensuse:-
|
— | |
|
Grafana Grafana <13.0.1+security-01
Grafana / Grafana
|
<13.0.1+security-01 | ||
|
Grafana Grafana <12.4.3+security-02
Grafana / Grafana
|
<12.4.3+security-02 | ||
|
Grafana Grafana <12.3.6+security-04
Grafana / Grafana
|
<12.3.6+security-04 | ||
|
Grafana Grafana <12.2.8+security-04
Grafana / Grafana
|
<12.2.8+security-04 | ||
|
Grafana Grafana <11.6.14+security-04
Grafana / Grafana
|
<11.6.14+security-04 |
Affected products
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SUSE openSUSE
SUSE
|
cpe:/o:suse:opensuse:-
|
— | |
|
Grafana Grafana <13.0.1+security-01
Grafana / Grafana
|
<13.0.1+security-01 | ||
|
Grafana Grafana <12.4.3+security-02
Grafana / Grafana
|
<12.4.3+security-02 | ||
|
Grafana Grafana <12.3.6+security-04
Grafana / Grafana
|
<12.3.6+security-04 | ||
|
Grafana Grafana <12.2.8+security-04
Grafana / Grafana
|
<12.2.8+security-04 | ||
|
Grafana Grafana <11.6.14+security-04
Grafana / Grafana
|
<11.6.14+security-04 |
Affected products
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SUSE openSUSE
SUSE
|
cpe:/o:suse:opensuse:-
|
— | |
|
Grafana Grafana <13.0.1+security-01
Grafana / Grafana
|
<13.0.1+security-01 | ||
|
Grafana Grafana <12.4.3+security-02
Grafana / Grafana
|
<12.4.3+security-02 | ||
|
Grafana Grafana <12.3.6+security-04
Grafana / Grafana
|
<12.3.6+security-04 | ||
|
Grafana Grafana <12.2.8+security-04
Grafana / Grafana
|
<12.2.8+security-04 | ||
|
Grafana Grafana <11.6.14+security-04
Grafana / Grafana
|
<11.6.14+security-04 |
Affected products
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SUSE openSUSE
SUSE
|
cpe:/o:suse:opensuse:-
|
— | |
|
Grafana Grafana <13.0.1+security-01
Grafana / Grafana
|
<13.0.1+security-01 | ||
|
Grafana Grafana <12.4.3+security-02
Grafana / Grafana
|
<12.4.3+security-02 | ||
|
Grafana Grafana <12.3.6+security-04
Grafana / Grafana
|
<12.3.6+security-04 | ||
|
Grafana Grafana <12.2.8+security-04
Grafana / Grafana
|
<12.2.8+security-04 | ||
|
Grafana Grafana <11.6.14+security-04
Grafana / Grafana
|
<11.6.14+security-04 |
Affected products
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SUSE openSUSE
SUSE
|
cpe:/o:suse:opensuse:-
|
— | |
|
Grafana Grafana <13.0.1+security-01
Grafana / Grafana
|
<13.0.1+security-01 | ||
|
Grafana Grafana <12.4.3+security-02
Grafana / Grafana
|
<12.4.3+security-02 | ||
|
Grafana Grafana <12.3.6+security-04
Grafana / Grafana
|
<12.3.6+security-04 | ||
|
Grafana Grafana <12.2.8+security-04
Grafana / Grafana
|
<12.2.8+security-04 | ||
|
Grafana Grafana <11.6.14+security-04
Grafana / Grafana
|
<11.6.14+security-04 |
Affected products
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SUSE openSUSE
SUSE
|
cpe:/o:suse:opensuse:-
|
— | |
|
Grafana Grafana <13.0.1+security-01
Grafana / Grafana
|
<13.0.1+security-01 | ||
|
Grafana Grafana <12.4.3+security-02
Grafana / Grafana
|
<12.4.3+security-02 | ||
|
Grafana Grafana <12.3.6+security-04
Grafana / Grafana
|
<12.3.6+security-04 | ||
|
Grafana Grafana <12.2.8+security-04
Grafana / Grafana
|
<12.2.8+security-04 | ||
|
Grafana Grafana <11.6.14+security-04
Grafana / Grafana
|
<11.6.14+security-04 |
References
14 references
{
"document": {
"aggregate_severity": {
"text": "mittel"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Grafana ist eine Analyse- und Visualisierungssoftware.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein Angreifer kann mehrere Schwachstellen in Grafana ausnutzen, um erweiterte Privilegien zu erlangen, Sicherheitsma\u00dfnahmen zu umgehen, Daten zu manipulieren oder offenzulegen oder einen Denial-of-Service-Zustand zu verursachen.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Linux\n- UNIX\n- Windows",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2026-1546 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-1546.json"
},
{
"category": "self",
"summary": "WID-SEC-2026-1546 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1546"
},
{
"category": "external",
"summary": "Grafana Security Advisory CVE-2026-28374 vom 2026-05-14",
"url": "https://grafana.com/security/security-advisories/cve-2026-28374/"
},
{
"category": "external",
"summary": "Grafana Security Advisory CVE-2026-28376 vom 2026-05-14",
"url": "https://grafana.com/security/security-advisories/cve-2026-28376/"
},
{
"category": "external",
"summary": "Grafana Security Advisory CVE-2026-28379 vom 2026-05-14",
"url": "https://grafana.com/security/security-advisories/cve-2026-28379/"
},
{
"category": "external",
"summary": "Grafana Security Advisory CVE-2026-28380 vom 2026-05-14",
"url": "https://grafana.com/security/security-advisories/cve-2026-28380/"
},
{
"category": "external",
"summary": "Grafana Security Advisory CVE-2026-28383 vom 2026-05-14",
"url": "https://grafana.com/security/security-advisories/cve-2026-28383/"
},
{
"category": "external",
"summary": "Grafana Security Advisory CVE-2026-33376 vom 2026-05-14",
"url": "https://grafana.com/security/security-advisories/cve-2026-33376/"
},
{
"category": "external",
"summary": "Grafana Security Advisory CVE-2026-33377 vom 2026-05-14",
"url": "https://grafana.com/security/security-advisories/cve-2026-33377/"
},
{
"category": "external",
"summary": "Grafana Security Advisory CVE-2026-33378 vom 2026-05-14",
"url": "https://grafana.com/security/security-advisories/cve-2026-33378/"
},
{
"category": "external",
"summary": "Grafana Security Advisory CVE-2026-33380 vom 2026-05-14",
"url": "https://grafana.com/security/security-advisories/cve-2026-33380/"
},
{
"category": "external",
"summary": "Grafana Security Advisory CVE-2026-33381 vom 2026-05-14",
"url": "https://grafana.com/security/security-advisories/cve-2026-33381/"
},
{
"category": "external",
"summary": "Grafana Security Advisory vom 2026-05-14",
"url": "https://grafana.com/grafana/download?pg=oss-graf\u0026plcmt=hero-btn-1"
},
{
"category": "external",
"summary": "openSUSE Security Update OPENSUSE-SU-2026:10932-1 vom 2026-06-06",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/D46I7STXAOXZDFKNIBA5QGJP6MQNEFOU/"
}
],
"source_lang": "en-US",
"title": "Grafana: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2026-06-07T22:00:00.000+00:00",
"generator": {
"date": "2026-06-08T09:29:26.869+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.6.0"
}
},
"id": "WID-SEC-W-2026-1546",
"initial_release_date": "2026-05-14T22:00:00.000+00:00",
"revision_history": [
{
"date": "2026-05-14T22:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2026-06-07T22:00:00.000+00:00",
"number": "2",
"summary": "Neue Updates von openSUSE aufgenommen"
}
],
"status": "final",
"version": "2"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c11.6.14+security-04",
"product": {
"name": "Grafana Grafana \u003c11.6.14+security-04",
"product_id": "T054201"
}
},
{
"category": "product_version",
"name": "11.6.14+security-04",
"product": {
"name": "Grafana Grafana 11.6.14+security-04",
"product_id": "T054201-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:grafana:grafana:11.6.14security-04"
}
}
},
{
"category": "product_version_range",
"name": "\u003c12.2.8+security-04",
"product": {
"name": "Grafana Grafana \u003c12.2.8+security-04",
"product_id": "T054202"
}
},
{
"category": "product_version",
"name": "12.2.8+security-04",
"product": {
"name": "Grafana Grafana 12.2.8+security-04",
"product_id": "T054202-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:grafana:grafana:12.2.8security-04"
}
}
},
{
"category": "product_version_range",
"name": "\u003c12.3.6+security-04",
"product": {
"name": "Grafana Grafana \u003c12.3.6+security-04",
"product_id": "T054204"
}
},
{
"category": "product_version",
"name": "12.3.6+security-04",
"product": {
"name": "Grafana Grafana 12.3.6+security-04",
"product_id": "T054204-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:grafana:grafana:12.3.6security-04"
}
}
},
{
"category": "product_version_range",
"name": "\u003c12.4.3+security-02",
"product": {
"name": "Grafana Grafana \u003c12.4.3+security-02",
"product_id": "T054205"
}
},
{
"category": "product_version",
"name": "12.4.3+security-02",
"product": {
"name": "Grafana Grafana 12.4.3+security-02",
"product_id": "T054205-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:grafana:grafana:12.4.3security-02"
}
}
},
{
"category": "product_version_range",
"name": "\u003c13.0.1+security-01",
"product": {
"name": "Grafana Grafana \u003c13.0.1+security-01",
"product_id": "T054206"
}
},
{
"category": "product_version",
"name": "13.0.1+security-01",
"product": {
"name": "Grafana Grafana 13.0.1+security-01",
"product_id": "T054206-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:grafana:grafana:13.0.1security-01"
}
}
}
],
"category": "product_name",
"name": "Grafana"
}
],
"category": "vendor",
"name": "Grafana"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE openSUSE",
"product": {
"name": "SUSE openSUSE",
"product_id": "T027843",
"product_identification_helper": {
"cpe": "cpe:/o:suse:opensuse:-"
}
}
}
],
"category": "vendor",
"name": "SUSE"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-28374",
"product_status": {
"known_affected": [
"T027843",
"T054206",
"T054205",
"T054204",
"T054202",
"T054201"
]
},
"release_date": "2026-05-14T22:00:00.000+00:00",
"title": "CVE-2026-28374"
},
{
"cve": "CVE-2026-28376",
"product_status": {
"known_affected": [
"T027843",
"T054206",
"T054205",
"T054204",
"T054202",
"T054201"
]
},
"release_date": "2026-05-14T22:00:00.000+00:00",
"title": "CVE-2026-28376"
},
{
"cve": "CVE-2026-28379",
"product_status": {
"known_affected": [
"T027843",
"T054206",
"T054205",
"T054204",
"T054202",
"T054201"
]
},
"release_date": "2026-05-14T22:00:00.000+00:00",
"title": "CVE-2026-28379"
},
{
"cve": "CVE-2026-28380",
"product_status": {
"known_affected": [
"T027843",
"T054206",
"T054205",
"T054204",
"T054202",
"T054201"
]
},
"release_date": "2026-05-14T22:00:00.000+00:00",
"title": "CVE-2026-28380"
},
{
"cve": "CVE-2026-28383",
"product_status": {
"known_affected": [
"T027843",
"T054206",
"T054205",
"T054204",
"T054202",
"T054201"
]
},
"release_date": "2026-05-14T22:00:00.000+00:00",
"title": "CVE-2026-28383"
},
{
"cve": "CVE-2026-33377",
"product_status": {
"known_affected": [
"T027843",
"T054206",
"T054205",
"T054204",
"T054202",
"T054201"
]
},
"release_date": "2026-05-14T22:00:00.000+00:00",
"title": "CVE-2026-33377"
},
{
"cve": "CVE-2026-33378",
"product_status": {
"known_affected": [
"T027843",
"T054206",
"T054205",
"T054204",
"T054202",
"T054201"
]
},
"release_date": "2026-05-14T22:00:00.000+00:00",
"title": "CVE-2026-33378"
},
{
"cve": "CVE-2026-33380",
"product_status": {
"known_affected": [
"T027843",
"T054206",
"T054205",
"T054204",
"T054202",
"T054201"
]
},
"release_date": "2026-05-14T22:00:00.000+00:00",
"title": "CVE-2026-33380"
},
{
"cve": "CVE-2026-33381",
"product_status": {
"known_affected": [
"T027843",
"T054206",
"T054205",
"T054204",
"T054202",
"T054201"
]
},
"release_date": "2026-05-14T22:00:00.000+00:00",
"title": "CVE-2026-33381"
},
{
"cve": "CVE-2026-33376",
"product_status": {
"known_affected": [
"T027843",
"T054206",
"T054205",
"T054204",
"T054202",
"T054201"
]
},
"release_date": "2026-05-14T22:00:00.000+00:00",
"title": "CVE-2026-33376"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…