Skip to main content

Grafana OSS CVE-2026-28383

| EUVD-2026-30141 MEDIUM
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-05-13 GRAFANA GHSA-9mfc-92xm-c5mf
Denial Of Service Grafana Grafana Oss
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
6.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 08, 2026 - 12:39 vuln.today
Patch available
May 13, 2026 - 21:02 EUVD

DescriptionCVE.org

A request to the Grafana plugin resources endpoint can cause unbounded memory allocation by reading the entire request body into memory. An authenticated user can exploit this to trigger an out-of-memory condition, potentially causing a denial of service.

AnalysisAI

Unbounded memory allocation in Grafana OSS's plugin resources endpoint allows any authenticated low-privileged user to trigger an out-of-memory condition by sending a sufficiently large HTTP request body, resulting in denial of service against the Grafana instance. Affected versions span a wide range from 6.7.0 through 13.0.1, with vendor-released security patches available across all supported branches. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to Grafana with low-privilege account
Delivery
Craft oversized HTTP request body
Exploit
Send request to plugin resources endpoint
Execution
Grafana reads entire body into heap without size limit
Persist
Memory exhausted on Grafana host
Impact
Grafana process killed or unresponsive (DoS)
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid authenticated session in Grafana with at least low-privilege access (confirmed by CVSS PR:L). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Several signals collectively indicate this is a low-to-moderate real-world priority despite the CVSS 6.5 base score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated Grafana user - even one holding only the default Viewer or Editor role - crafts an HTTP POST or PUT request with an arbitrarily large body and sends it to the Grafana plugin resources endpoint. The Grafana backend allocates memory proportional to the full request body size without bounds, and with sufficient request size or repeated requests, exhausts available system memory, causing the Grafana process to be killed by the OS OOM killer or become unresponsive. …
Remediation The primary remediation is to upgrade to the appropriate vendor-released security patch for your installed branch: 11.6.14+security-04 for the 11.x line, 12.2.8+security-04 for the 12.2.x line, 12.3.6+security-04 for the 12.3.x line, 12.4.3+security-02 for the 12.4.x line, or 13.0.1+security-01 for the 13.x line. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-11769 MEDIUM
6.4 Jun 13

Privilege escalation in Grafana Operator (all versions ≤ 5.23) allows any user with Kubernetes RBAC permissions to creat

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Module for Package Hub 15 SP7 Fixed
SUSE Manager Client Tools 15 Fixed
SUSE Manager Client Tools for SLE 15 Fixed
SUSE Multi-Linux Manager Client Tools for SLE 15 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP4 Fixed

Share

CVE-2026-28383 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy