Skip to main content

Grafana OSS CVE-2026-28376

| EUVD-2026-30138 MEDIUM
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-05-13 GRAFANA GHSA-9mjv-w43g-3xj4
Denial Of Service Grafana Grafana Oss
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
6.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 08, 2026 - 12:38 vuln.today
Patch available
May 13, 2026 - 21:02 EUVD

DescriptionCVE.org

The Grafana Live push endpoint can be exploited to cause unbounded memory allocation by sending a large or streaming request body, potentially leading to out-of-memory conditions. An authenticated user with access to the Grafana Live API can trigger this issue.

AnalysisAI

Unbounded memory allocation in Grafana OSS's Live push endpoint allows any authenticated user to exhaust server memory by submitting a large or streaming HTTP request body, resulting in an out-of-memory condition and denial of service. Confirmed affected branches span Grafana OSS 8.0.0 through 13.0.1 across five actively maintained release lines, with vendor-released security patches available for each. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege Grafana credentials
Delivery
Authenticate to target Grafana instance
Exploit
Send streaming HTTP request to Live push endpoint
Execution
Server allocates unbounded heap memory
Persist
OOM condition kills Grafana process
Impact
Denial of service for all users
Sign in to reveal

Vulnerability AssessmentAI

Exploitation An authenticated Grafana user account is required - the CVSS vector PR:L confirms low-privilege credentials suffice; unauthenticated exploitation is not possible. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS scores this at 6.5 (Medium), driven entirely by the A:H availability impact against a network-accessible endpoint with low-privilege authentication - there is no confidentiality or integrity risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a valid low-privilege Grafana account (e.g., a Viewer-role user in a shared enterprise instance) crafts an HTTP request targeting the Grafana Live push endpoint and streams a continuously growing request body without a terminating boundary. The Grafana server allocates heap memory to buffer the incoming data without enforcing a size ceiling, consuming available RAM until the process is killed by the OS OOM killer or the system becomes unresponsive, effectively denying service to all other Grafana users on that instance. …
Remediation Upgrade to one of the vendor-released security patch versions corresponding to your current release line: 11.6.14+security-04, 12.2.8+security-04, 12.3.6+security-04, 12.4.3+security-02, or 13.0.1+security-01, as documented in the Grafana security advisory at https://grafana.com/security/security-advisories/cve-2026-28376. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-11769 MEDIUM
6.4 Jun 13

Privilege escalation in Grafana Operator (all versions ≤ 5.23) allows any user with Kubernetes RBAC permissions to creat

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Module for Package Hub 15 SP7 Fixed
SUSE Manager Client Tools 15 Fixed
SUSE Manager Client Tools for SLE 15 Fixed
SUSE Multi-Linux Manager Client Tools for SLE 15 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP4 Fixed

Share

CVE-2026-28376 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy