Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Network-reachable query API, low-complexity oversized-limit request, no auth modeled (PR:N), and pure availability impact via memory exhaustion (A:H, C:N, I:N).
Primary rating from Vendor (GRAFANA).
CVSS VectorVendor: GRAFANA
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionCVE.org
Loki queries with large limits can cause large memory allocations which can impact the availability of the service, depending on its deployment strategy.
AnalysisAI
Uncontrolled memory allocation in Grafana Loki lets remote unauthenticated users issue queries with excessively large limit values, forcing the service to allocate large amounts of memory and potentially exhausting host resources. The impact is denial of service (CVSS 7.5, A:H only) and varies by deployment topology - a single-binary or under-provisioned deployment is far more exposed than a horizontally scaled microservices setup. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires network reachability to Loki's HTTP query API and the ability to submit a query with an unusually large result limit; the CVSS models this as unauthenticated (PR:N) with no user interaction, so no credentials or victim action are modeled as required. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) scores 7.5 and reflects a network-reachable, low-complexity, unauthenticated availability attack with no confidentiality or integrity impact - a classic resource-exhaustion DoS rather than a code-execution or data-exposure bug. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who can reach the Loki HTTP query API sends a LogQL query specifying a very large limit value, causing the querier to attempt a correspondingly large memory allocation. Repeating or scaling such requests drives memory pressure that degrades or crashes the affected components, denying service to legitimate users; because the CVSS complexity is low and no authentication is modeled, the request requires no special tooling beyond API access. |
| Remediation | Consult the Grafana security advisory at https://grafana.com/security/security-advisories/cve-2026-21729 and upgrade to the vendor's fixed release; the exact patched version was not included in the provided data and should be taken directly from that advisory rather than assumed (Patch available per vendor advisory). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, identify all Grafana Loki deployments accessible from untrusted networks and apply immediate rate limiting to query endpoints via reverse proxy or WAF rules targeting /loki/api/v1/query. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
The CVE-2021-36156 fix validates the namespace parameter for path traversal sequences after a single URL decode, by doub
An issue was discovered in Grafana Loki through 2.2.1. Rated medium severity (CVSS 5.3), this vulnerability is remotely
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44862
GHSA-65p5-8cm9-qcxx