Aggregates CVE and security vulnerability intelligence across all Grafana Labs-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Disclosed issues often relate to vendor risk memory corruption, vendor risk buffer overflow, and vendor risk input validation; exposure may include vendor impact file overwrite in vendor surface production workloads contexts.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2026-33378 | Using the $__timeGroup macro, one can achieve an OOM by overloading the server. This requires a SQL datasource. If the server is set up to auto-restart, the impact is minimal or non-existent, as the attack can take upwards of half an hour to crash the server. | [email protected] | 6.5 | 0.04% | 2026-05-13 | 2026-05-28 |
| CVE-2026-33377 | An Editor can overwrite a dashboard not owned by them to acquire admin on that specific dashboard. The user must have write access to the dashboard to escalate privilege. | [email protected] | 7.1 | 0.03% | 2026-05-13 | 2026-06-02 |
| CVE-2026-33376 | When using an IPv6 allow-list for the Auth Proxy feature, it defaults to /32 addresses. Addresses specifying a mask explicitly are not affected; to mitigate easily, add the desired mask (usually /128) to the addresses. Only auth proxy is affected; Okta, SAML, LDAP, etc are unaffected here. | [email protected] | 7.4 | 0.03% | 2026-05-13 | 2026-06-02 |
| CVE-2026-28383 | A request to the Grafana plugin resources endpoint can cause unbounded memory allocation by reading the entire request body into memory. An authenticated user can exploit this to trigger an out-of-memory condition, potentially causing a denial of service. | [email protected] | 6.5 | 0.04% | 2026-05-13 | 2026-06-02 |
| CVE-2026-28380 | Any Editor could delete any snapshot, even if they have no access to read or write them. | [email protected] | 6.5 | 0.03% | 2026-05-13 | 2026-06-02 |
| CVE-2026-28379 | A race condition in Grafana Live allows authenticated users with Viewer role to trigger a server crash by sending concurrent requests that cause a fatal map access error. This results in complete service unavailability requiring restart of the Grafana server. | [email protected] | 6.5 | 0.04% | 2026-05-13 | 2026-06-02 |
| CVE-2026-28376 | The Grafana Live push endpoint can be exploited to cause unbounded memory allocation by sending a large or streaming request body, potentially leading to out-of-memory conditions. An authenticated user with access to the Grafana Live API can trigger this issue. | [email protected] | 6.5 | 0.04% | 2026-05-13 | 2026-05-18 |
| CVE-2026-28374 | Editors could delete any annotation, even those they do not have read access to. The editor user cannot create or read the annotations. | [email protected] | 4.3 | 0.03% | 2026-05-13 | 2026-06-02 |
| CVE-2026-21727 | --- title: Cross-Tenant Legacy Correlation Disclosure and Deletion draft: false hero: image: /static/img/heros/hero-legal2.svg content: "# Cross-Tenant Legacy Correlation Disclosure and Deletion" date: 2026-01-29 product: Grafana severity: Low cve: CVE-2026-21727 cvss_score: "3.3" cvss_vector: "CVSS:3.3/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N" fixed_versions: - ">=11.6.11 >=12.0.9 >=12.1.6 >=12.2.4" --- A cross-tenant isolation vulnerability was found in Grafana’s Correlations feature affectin | [email protected] | 3.3 | 0.01% | 2026-04-15 | 2026-04-20 |
| CVE-2026-21726 | The CVE-2021-36156 fix validates the namespace parameter for path traversal sequences after a single URL decode, by double encoding, an attacker can read files at the Ruler API endpoint /loki/api/v1/rules/{namespace} Thanks to Prasanth Sundararajan for reporting this vulnerability. | [email protected] | 5.3 | 0.01% | 2026-04-15 | 2026-04-20 |
| CVE-2025-41118 | Pyroscope is an open-source continuous profiling database. The database supports various storage backends, including Tencent Cloud Object Storage (COS). If the database is configured to use Tencent COS as the storage backend, an attacker could extract the secret_key configuration value from the Pyroscope API. To exploit this vulnerability, an attacker needs direct access to the Pyroscope API. We highly recommend limiting the public internet exposure of all our databases, such that they are onl | [email protected] | 9.1 | 0.03% | 2026-04-15 | 2026-04-20 |
| CVE-2025-12141 | In Grafana's alerting system, users with edit permissions for a contact point, specifically the permissions “alert.notifications:write” or “alert.notifications.receivers:test” that are granted as part of the fixed role "Contact Point Writer", which is part of the basic role Editor - can edit contact points created by other users, modify the endpoint URL to a controlled server. By invoking the test functionality, attackers can capture and extract redacted secure settings, such as authentication c | [email protected] | 1.3 | 0.06% | 2026-04-15 | 2026-04-20 |
| CVE-2026-28375 | A testdata data-source can be used to trigger out-of-memory crashes in Grafana. | [email protected] | 6.5 | 0.01% | 2026-03-27 | 2026-03-31 |
| CVE-2026-27880 | The OpenFeature feature toggle evaluation endpoint reads unbounded values into memory, which can cause out-of-memory crashes. | [email protected] | 7.5 | 0.01% | 2026-03-27 | 2026-05-10 |
| CVE-2026-27879 | A resample query can be used to trigger out-of-memory crashes in Grafana. | [email protected] | 6.5 | 0.01% | 2026-03-27 | 2026-03-31 |
| CVE-2026-27877 | When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards. No passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as possible to improve your deployments' security. | [email protected] | 6.5 | 0.01% | 2026-03-27 | 2026-05-10 |
| CVE-2026-27876 | A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RCE). This is enabled by a feature in Grafana (OSS), so all users are always recommended to update to avoid future attack vectors going this path. Only instances with the sqlExpressions feature toggle enabled are vulnerable. Only instances in the following version ranges are affected: - 11.6.0 (inclusive) to 11.6.14 (exclusive): 11.6.14 has the fix. 11.5 and below are not | [email protected] | 9.1 | 0.18% | 2026-03-27 | 2026-04-02 |
| CVE-2026-28377 | A vulnerability in Grafana Tempo exposes the S3 SSE-C encryption key in plaintext through the /status/config endpoint, potentially allowing unauthorized users to obtain the key used to encrypt trace data stored in S3. Thanks to william_goodfellow for reporting this vulnerability. | [email protected] | 7.5 | 0.02% | 2026-03-26 | 2026-03-31 |
| CVE-2026-33375 | The Grafana MSSQL data source plugin contains a logic flaw that allows a low-privileged user (Viewer) to bypass API restrictions and trigger a catastrophic Out-Of-Memory (OOM) memory exhaustion, crashing the host container. | [email protected] | 6.5 | 0.01% | 2026-03-26 | 2026-03-31 |
| CVE-2026-21724 | A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the required alert.notifications.receivers.protected:write permission. | [email protected] | 5.4 | 0.03% | 2026-03-26 | 2026-04-14 |