Skip to main content

Grafana Loki EUVDEUVD-2026-44862

| CVE-2026-21729 HIGH
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-07-16 GRAFANA GHSA-65p5-8cm9-qcxx
7.5
CVSS 3.1 · Vendor: GRAFANA
Share

Severity by source

Vendor (GRAFANA) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Network-reachable query API, low-complexity oversized-limit request, no auth modeled (PR:N), and pure availability impact via memory exhaustion (A:H, C:N, I:N).

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GRAFANA).

CVSS VectorVendor: GRAFANA

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 16, 2026 - 03:46 vuln.today
CVE Published
Jul 16, 2026 - 03:12 cve.org
HIGH 7.5

DescriptionCVE.org

Loki queries with large limits can cause large memory allocations which can impact the availability of the service, depending on its deployment strategy.

AnalysisAI

Uncontrolled memory allocation in Grafana Loki lets remote unauthenticated users issue queries with excessively large limit values, forcing the service to allocate large amounts of memory and potentially exhausting host resources. The impact is denial of service (CVSS 7.5, A:H only) and varies by deployment topology - a single-binary or under-provisioned deployment is far more exposed than a horizontally scaled microservices setup. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach Loki query HTTP API
Delivery
Craft query with huge limit
Exploit
Trigger oversized memory allocation
Execution
Repeat to exhaust host memory
Impact
Querier/ingester degradation or crash (DoS)

Vulnerability AssessmentAI

Exploitation Exploitation requires network reachability to Loki's HTTP query API and the ability to submit a query with an unusually large result limit; the CVSS models this as unauthenticated (PR:N) with no user interaction, so no credentials or victim action are modeled as required. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) scores 7.5 and reflects a network-reachable, low-complexity, unauthenticated availability attack with no confidentiality or integrity impact - a classic resource-exhaustion DoS rather than a code-execution or data-exposure bug. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can reach the Loki HTTP query API sends a LogQL query specifying a very large limit value, causing the querier to attempt a correspondingly large memory allocation. Repeating or scaling such requests drives memory pressure that degrades or crashes the affected components, denying service to legitimate users; because the CVSS complexity is low and no authentication is modeled, the request requires no special tooling beyond API access.
Remediation Consult the Grafana security advisory at https://grafana.com/security/security-advisories/cve-2026-21729 and upgrade to the vendor's fixed release; the exact patched version was not included in the provided data and should be taken directly from that advisory rather than assumed (Patch available per vendor advisory). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, identify all Grafana Loki deployments accessible from untrusted networks and apply immediate rate limiting to query endpoints via reverse proxy or WAF rules targeting /loki/api/v1/query. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-44862 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy