Skip to main content

Grafana CVE-2026-21720

HIGH
Uncontrolled Resource Consumption (CWE-400)
2026-01-27 security@grafana.com
Grafana Denial Of Service Red Hat Suse
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
7.5 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Patch released
Apr 09, 2026 - 14:30 nvd
Patch available
Analysis Generated
Mar 12, 2026 - 21:55 vuln.today
CVE Published
Jan 27, 2026 - 09:15 nvd
HIGH 7.5

DescriptionCVE.org

Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three seconds, the handler times out and stops listening for the result, so that goroutine blocks forever trying to send on an unbuffered channel. Sustained traffic with random hashes keeps tripping this timeout, so goroutine count grows linearly, eventually exhausting memory and causing Grafana to crash on some systems.

AnalysisAI

Grafana is vulnerable to denial of service through resource exhaustion when processing uncached avatar requests with random hashes. Sustained requests cause goroutines to accumulate indefinitely due to timeout handling issues, eventually consuming all available memory and crashing the application. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Send sustained HTTP requests to /avatar/:hash endpoint
Delivery
Spawn goroutines exceeding worker queue capacity
Exploit
Trigger handler timeouts on unbuffered channels
Execution
Accumulate blocked goroutines
Impact
Exhaust memory and crash Grafana
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Grafana instance with uncached avatar endpoint enabled. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 7.5 (HIGH). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker could exploit this vulnerability to compromise the affected system.
Remediation Monitor vendor advisories for a patch. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Assess current avatar caching configuration and identify the percentage of uncached requests in production traffic. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-11769 MEDIUM
6.4 Jun 13

Privilege escalation in Grafana Operator (all versions ≤ 5.23) allows any user with Kubernetes RBAC permissions to creat

Vendor StatusVendor

SUSE

Severity: High
Product Status
Container suse/manager/5.0/x86_64/server:latest Affected
SUSE Linux Enterprise Module for Package Hub 15 SP7 Fixed
SUSE Manager Client Tools 15 Fixed
SUSE Manager Client Tools for SLE Micro 5 Fixed
SUSE Manager Proxy LTS 4.3 Fixed

Share

CVE-2026-21720 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy