CVE-2026-27880 — Out-of-bounds Write in Grafana

CWE-787 — Out-of-bounds Write CWE-770 — Allocation of Resources Without Limits or Throttling6 documents6 sources

Severity

7.5HIGHNVD

EPSS

0.0%

top 95.56%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Grafana

Timeline

PublishedMar 27

Description

The OpenFeature feature toggle evaluation endpoint reads unbounded values into memory, which can cause out-of-memory crashes.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5grafana/grafanav12.1.0 — v12.1.10+3

▶NVDgrafana/grafana12.1.10 — 12.2.0+3

🔴Vulnerability Details

CVEList

OpenFeature evaluation API reads input data with no bounds↗2026-03-27

▶

OSV

CVE-2026-27880: The OpenFeature feature toggle evaluation endpoint reads unbounded values into memory, which can cause out-of-memory crashes↗2026-03-27

▶

GHSA

GHSA-jmfj-8gxc-cg8c: The OpenFeature feature toggle evaluation endpoint reads unbounded values into memory, which can cause out-of-memory crashes↗2026-03-27

▶

📋Vendor Advisories

Red Hat

Grafana: Grafana: Denial of Service via unbounded memory read in feature toggle evaluation↗2026-03-27

▶

🕵️Threat Intelligence

Wiz

CVE-2026-27880 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶