CVE-2026-21720
published 2026-01-27CVE-2026-21720: Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three…
PriorityP341high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.62%
45.1th percentile
Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three seconds, the handler times out and stops listening for the result, so that goroutine blocks forever trying to send on an unbuffered channel. Sustained traffic with random hashes keeps tripping this timeout, so goroutine count grows linearly, eventually exhausting memory and causing Grafana to crash on some systems.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| grafana | grafana | — | — |
| grafana | grafana | >= 12.0.0 < 12.0.8 | 12.0.8 |
| grafana | grafana | >= 12.1.0 < 12.1.5 | 12.1.5 |
| grafana | grafana | >= 12.2.0 < 12.2.3 | 12.2.3 |
| grafana | grafana | >= 3.0.0 < 11.6.9 | 11.6.9 |
| grafana | grafana_grafana | >= 3.0.0 < 11.6.9 | 11.6.9 |
| grafana | grafana_grafana | >= 3.0.0 < 12.0.8 | 12.0.8 |
| grafana | grafana_grafana | >= 3.0.0 < 12.1.5 | 12.1.5 |
| grafana | grafana_grafana | >= 3.0.0 < 12.2.3 | 12.2.3 |
| grafana | grafana_grafana | >= 3.0.0 < 12.3.1 | 12.3.1 |
| grafana | grafana_grafana-enterprise | >= 3.0.0 < 11.6.9 | 11.6.9 |
| grafana | grafana_grafana-enterprise | >= 3.0.0 < 12.0.8 | 12.0.8 |
| grafana | grafana_grafana-enterprise | >= 3.0.0 < 12.1.5 | 12.1.5 |
| grafana | grafana_grafana-enterprise | >= 3.0.0 < 12.2.3 | 12.2.3 |
| grafana | grafana_grafana-enterprise | >= 3.0.0 < 12.3.1 | 12.3.1 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
grafana: Grafana: Denial of Service via resource exhaustion from avatar requests
vendor_redhat·2026-01-27·CVSS 7.5
CVE-2026-21720 [HIGH] CWE-772 grafana: Grafana: Denial of Service via resource exhaustion from avatar requests
grafana: Grafana: Denial of Service via resource exhaustion from avatar requests
Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three seconds, the handler times out and stops listening for the result, so that goroutine blocks forever trying to send on an unbuffered channel. Sustained traffic with random hashes keeps tripping this timeout, so goroutine count grows linearly, eventually exhausting memory and causing Grafana to crash on some systems.
A flaw was found in Grafana. A remote attacker can exploit this vulnerability by sending a sustained volume of uncached /avatar/:hash requests. This action causes the system to create and block goroutines, which are lightweight concurrent func
VulDB
Grafana up to 12.3.0 Gravatar Image /avatar/:hash random values (Nessus ID 297198 / WID-SEC-2026-0224)
vuldb·2026-06-30·CVSS 7.5
CVE-2026-21720 [HIGH] Grafana up to 12.3.0 Gravatar Image /avatar/:hash random values (Nessus ID 297198 / WID-SEC-2026-0224)
A vulnerability labeled as problematic has been found in Grafana up to 11.6.8/12.0.7/12.1.4/12.2.2/12.3.0. Affected is an unknown function of the file /avatar/:hash of the component Gravatar Image Handler. Such manipulation leads to insufficiently random values.
This vulnerability is listed as CVE-2026-21720. The attack may be performed from remote. There is no available exploit.
The affected component should be upgraded.
GHSA
GHSA-m4rj-q4ph-fr4v: Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image
ghsa_unreviewed·2026-01-27
CVE-2026-21720 [HIGH] CWE-400 GHSA-m4rj-q4ph-fr4v: Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image
Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three seconds, the handler times out and stops listening for the result, so that goroutine blocks forever trying to send on an unbuffered channel. Sustained traffic with random hashes keeps tripping this timeout, so goroutine count grows linearly, eventually exhausting memory and causing Grafana to crash on some systems.
OSV
CVE-2026-21720: Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image
osv·2026-01-27·CVSS 7.5
CVE-2026-21720 [HIGH] CVE-2026-21720: Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image
Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three seconds, the handler times out and stops listening for the result, so that goroutine blocks forever trying to send on an unbuffered channel. Sustained traffic with random hashes keeps tripping this timeout, so goroutine count grows linearly, eventually exhausting memory and causing Grafana to crash on some systems.
No detection rules found.
No public exploits indexed.
2026-01-27
Published