CVE-2026-21720
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3Description
Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three seconds, the handler times out and stops listening for the result, so that goroutine blocks forever trying to send on an unbuffered channel. Sustained traffic with random hashes keeps tripping this timeout, so goroutine count grows linearly, eventually exhausting memory and causing Grafana to crash on some systems.
Analysis
Grafana is vulnerable to denial of service through resource exhaustion when processing uncached avatar requests with random hashes. Sustained requests cause goroutines to accumulate indefinitely due to timeout handling issues, eventually consuming all available memory and crashing the application. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Assess current avatar caching configuration and identify the percentage of uncached requests in production traffic. Within 7 days: Implement aggressive caching policies for Gravatar images, reduce worker queue timeout thresholds, or disable dynamic avatar refresh if not business-critical. …
Sign in for detailed remediation steps.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today