Skip to main content

Grafana OSS EUVD-2026-30144

| CVE-2026-33378 MEDIUM
Uncontrolled Resource Consumption (CWE-400)
2026-05-13 GRAFANA GHSA-rr8q-qwrv-9pf6
Denial Of Service Grafana Oss
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 08, 2026 - 12:34 vuln.today
Patch available
May 13, 2026 - 21:02 EUVD

DescriptionCVE.org

Using the $__timeGroup macro, one can achieve an OOM by overloading the server. This requires a SQL datasource. If the server is set up to auto-restart, the impact is minimal or non-existent, as the attack can take upwards of half an hour to crash the server.

AnalysisAI

Uncontrolled resource consumption in Grafana OSS allows authenticated low-privilege users to trigger an out-of-memory (OOM) crash by exploiting the $__timeGroup macro against a configured SQL datasource. The attack is slow by nature - requiring upwards of 30 minutes to exhaust server memory - and affects Grafana OSS versions spanning from 8.0.0 through 13.0.1. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to Grafana with low-privilege account
Delivery
Identify panel using SQL datasource
Exploit
Craft query using $__timeGroup macro to maximize memory allocation
Execution
Submit repeated or sustained crafted queries over ~30 minutes
Persist
Exhaust Grafana server memory
Impact
Crash Grafana process, denying service to all users
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated Grafana user account with at minimum low-privilege access (CVSS PR:L confirmed). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 6.5 score reflects a network-reachable, low-complexity denial-of-service with a significant availability impact (A:H) but zero confidentiality or integrity impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated Grafana user with at least Viewer-level access to a dashboard backed by a SQL datasource crafts or modifies a panel query using the $__timeGroup macro in a manner that drives excessive memory allocation on the Grafana server process. Over approximately 30 minutes of sustained crafted queries, server memory is exhausted and the Grafana process crashes, causing a denial of service to all users. …
Remediation The primary fix is to upgrade Grafana OSS to one of the following vendor-released patched versions corresponding to your release branch: 11.6.14+security-04, 12.2.8+security-04, 12.3.6+security-04, 12.4.3+security-02, or 13.0.1+security-01. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Module for Package Hub 15 SP7 Fixed
SUSE Manager Client Tools 15 Fixed
SUSE Manager Client Tools for SLE 15 Fixed
SUSE Multi-Linux Manager Client Tools for SLE 15 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP4 Fixed

Share

EUVD-2026-30144 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy