Grafana Oss
Monthly
Improper access control in Grafana OSS allows authenticated Editor-role users to delete any annotation instance-wide, regardless of whether they hold read or create permissions on that annotation. The flaw affects a broad version range from 8.5.0 through 13.0.1, exposing organizations to unauthorized data destruction by low-privileged internal users. No active exploitation has been identified at time of analysis (SSVC: none; EPSS: 0.03%, 8th percentile), and no public exploit code exists; real-world risk is constrained by the authentication prerequisite and partial integrity-only impact.
Uncontrolled resource consumption in Grafana OSS allows authenticated low-privilege users to trigger an out-of-memory (OOM) crash by exploiting the $__timeGroup macro against a configured SQL datasource. The attack is slow by nature - requiring upwards of 30 minutes to exhaust server memory - and affects Grafana OSS versions spanning from 8.0.0 through 13.0.1. Grafana reported this vulnerability directly, a vendor patch is available across all affected release branches, and no public exploit code or active exploitation has been identified at time of analysis.
Unbounded memory allocation in Grafana OSS's plugin resources endpoint allows any authenticated low-privileged user to trigger an out-of-memory condition by sending a sufficiently large HTTP request body, resulting in denial of service against the Grafana instance. Affected versions span a wide range from 6.7.0 through 13.0.1, with vendor-released security patches available across all supported branches. No public exploit exists and CISA has not added this to the KEV catalog; the EPSS score of 0.04% (12th percentile) reflects very low observed exploitation probability.
Authentication bypass in Grafana OSS Auth Proxy allows remote attackers to circumvent IPv6 allow-list restrictions because the feature applies a /32 default mask to IPv6 addresses instead of the appropriate /128, dramatically widening the trusted address space and potentially admitting unauthorized clients into authenticated sessions. The flaw is confined to the Auth Proxy authentication path - Okta, SAML, and LDAP integrations are unaffected - and at this time there is no public exploit identified at time of analysis, with EPSS at 0.03% and SSVC marking exploitation as 'none.'
Arbitrary file read in Grafana OSS exposes server filesystem contents to authenticated low-privilege users when the sqlExpressions feature toggle is enabled. Affected versions span the 11.6.x, 12.x, and 13.0.x release trains, with fixed security builds available across all affected branches. No public exploit code exists and CISA has not added this to the Known Exploited Vulnerabilities catalog; however, the confidentiality impact is rated High by CVSS due to the potential for unrestricted file disclosure from the Grafana server's filesystem.
Missing authorization in Grafana OSS's snapshot deletion endpoint allows any authenticated Editor-role user to delete arbitrary snapshots across the platform, regardless of whether they hold read or write access to those snapshots. Affected versions span a wide release range from 9.4.0 through 13.0.1 across multiple major branches (CPE: cpe:2.3:a:grafana:grafana_oss). With EPSS at 0.03% (8th percentile), SSVC exploitation rated none, and no public exploit identified at time of analysis, the practical threat is primarily insider abuse or compromised Editor credentials being used to destroy monitoring data outside an attacker's legitimate scope.
Privilege revocation race condition in Grafana OSS allows a user whose service-account token-minting permission was just revoked to continue minting tokens for several seconds after the revocation event. The flaw, tagged as an authentication bypass affecting multiple supported branches of Grafana OSS (11.x, 12.x, 13.x), can yield high confidentiality and integrity impact by granting persistent API access via newly minted service-account tokens. No public exploit identified at time of analysis, EPSS is very low (0.03%), and SSVC marks exploitation as none - but the vendor has issued patches across all affected branches.
Privilege escalation in Grafana OSS allows an authenticated Editor with write access to a dashboard they do not own to overwrite that dashboard and acquire admin permissions on it. The flaw, tracked as CVE-2026-33377 and disclosed by Grafana with patches across multiple maintained branches, has CVSS 7.1 reflecting high integrity impact via low-privileged network access. There is no public exploit identified at time of analysis, and EPSS sits at 0.03% (8th percentile), but the high integrity impact warrants prompt patching for multi-tenant Grafana deployments.
Unbounded memory allocation in Grafana OSS's Live push endpoint allows any authenticated user to exhaust server memory by submitting a large or streaming HTTP request body, resulting in an out-of-memory condition and denial of service. Confirmed affected branches span Grafana OSS 8.0.0 through 13.0.1 across five actively maintained release lines, with vendor-released security patches available for each. No public exploit code exists and CISA has not listed this in KEV; the EPSS score of 0.04% (12th percentile) and SSVC exploitation status of 'none' collectively indicate low current real-world exploitation activity.
Grafana Live's concurrent request handling exposes authenticated Viewer-role users as a denial-of-service vector: sending concurrent requests triggers a fatal map access error that crashes the entire Grafana server, requiring a manual restart to restore service. All Grafana OSS releases from 8.2.0 through 13.0.1 are affected across multiple maintained branches, making the exposure surface exceptionally broad. No public exploit identified at time of analysis and EPSS sits at 0.04% (12th percentile), but the low privilege bar - any Viewer account - and reliable triggering (AC:L) mean insider threats and compromised low-privilege accounts represent a realistic DoS risk for organizations without guest/anonymous access controls.
Improper access control in Grafana OSS allows authenticated Editor-role users to delete any annotation instance-wide, regardless of whether they hold read or create permissions on that annotation. The flaw affects a broad version range from 8.5.0 through 13.0.1, exposing organizations to unauthorized data destruction by low-privileged internal users. No active exploitation has been identified at time of analysis (SSVC: none; EPSS: 0.03%, 8th percentile), and no public exploit code exists; real-world risk is constrained by the authentication prerequisite and partial integrity-only impact.
Uncontrolled resource consumption in Grafana OSS allows authenticated low-privilege users to trigger an out-of-memory (OOM) crash by exploiting the $__timeGroup macro against a configured SQL datasource. The attack is slow by nature - requiring upwards of 30 minutes to exhaust server memory - and affects Grafana OSS versions spanning from 8.0.0 through 13.0.1. Grafana reported this vulnerability directly, a vendor patch is available across all affected release branches, and no public exploit code or active exploitation has been identified at time of analysis.
Unbounded memory allocation in Grafana OSS's plugin resources endpoint allows any authenticated low-privileged user to trigger an out-of-memory condition by sending a sufficiently large HTTP request body, resulting in denial of service against the Grafana instance. Affected versions span a wide range from 6.7.0 through 13.0.1, with vendor-released security patches available across all supported branches. No public exploit exists and CISA has not added this to the KEV catalog; the EPSS score of 0.04% (12th percentile) reflects very low observed exploitation probability.
Authentication bypass in Grafana OSS Auth Proxy allows remote attackers to circumvent IPv6 allow-list restrictions because the feature applies a /32 default mask to IPv6 addresses instead of the appropriate /128, dramatically widening the trusted address space and potentially admitting unauthorized clients into authenticated sessions. The flaw is confined to the Auth Proxy authentication path - Okta, SAML, and LDAP integrations are unaffected - and at this time there is no public exploit identified at time of analysis, with EPSS at 0.03% and SSVC marking exploitation as 'none.'
Arbitrary file read in Grafana OSS exposes server filesystem contents to authenticated low-privilege users when the sqlExpressions feature toggle is enabled. Affected versions span the 11.6.x, 12.x, and 13.0.x release trains, with fixed security builds available across all affected branches. No public exploit code exists and CISA has not added this to the Known Exploited Vulnerabilities catalog; however, the confidentiality impact is rated High by CVSS due to the potential for unrestricted file disclosure from the Grafana server's filesystem.
Missing authorization in Grafana OSS's snapshot deletion endpoint allows any authenticated Editor-role user to delete arbitrary snapshots across the platform, regardless of whether they hold read or write access to those snapshots. Affected versions span a wide release range from 9.4.0 through 13.0.1 across multiple major branches (CPE: cpe:2.3:a:grafana:grafana_oss). With EPSS at 0.03% (8th percentile), SSVC exploitation rated none, and no public exploit identified at time of analysis, the practical threat is primarily insider abuse or compromised Editor credentials being used to destroy monitoring data outside an attacker's legitimate scope.
Privilege revocation race condition in Grafana OSS allows a user whose service-account token-minting permission was just revoked to continue minting tokens for several seconds after the revocation event. The flaw, tagged as an authentication bypass affecting multiple supported branches of Grafana OSS (11.x, 12.x, 13.x), can yield high confidentiality and integrity impact by granting persistent API access via newly minted service-account tokens. No public exploit identified at time of analysis, EPSS is very low (0.03%), and SSVC marks exploitation as none - but the vendor has issued patches across all affected branches.
Privilege escalation in Grafana OSS allows an authenticated Editor with write access to a dashboard they do not own to overwrite that dashboard and acquire admin permissions on it. The flaw, tracked as CVE-2026-33377 and disclosed by Grafana with patches across multiple maintained branches, has CVSS 7.1 reflecting high integrity impact via low-privileged network access. There is no public exploit identified at time of analysis, and EPSS sits at 0.03% (8th percentile), but the high integrity impact warrants prompt patching for multi-tenant Grafana deployments.
Unbounded memory allocation in Grafana OSS's Live push endpoint allows any authenticated user to exhaust server memory by submitting a large or streaming HTTP request body, resulting in an out-of-memory condition and denial of service. Confirmed affected branches span Grafana OSS 8.0.0 through 13.0.1 across five actively maintained release lines, with vendor-released security patches available for each. No public exploit code exists and CISA has not listed this in KEV; the EPSS score of 0.04% (12th percentile) and SSVC exploitation status of 'none' collectively indicate low current real-world exploitation activity.
Grafana Live's concurrent request handling exposes authenticated Viewer-role users as a denial-of-service vector: sending concurrent requests triggers a fatal map access error that crashes the entire Grafana server, requiring a manual restart to restore service. All Grafana OSS releases from 8.2.0 through 13.0.1 are affected across multiple maintained branches, making the exposure surface exceptionally broad. No public exploit identified at time of analysis and EPSS sits at 0.04% (12th percentile), but the low privilege bar - any Viewer account - and reliable triggering (AC:L) mean insider threats and compromised low-privilege accounts represent a realistic DoS risk for organizations without guest/anonymous access controls.