CVE-2026-28376
published 2026-05-13CVE-2026-28376: The Grafana Live push endpoint can be exploited to cause unbounded memory allocation by sending a large or streaming request body, potentially leading to…
PriorityP337medium6.5CVSS 3.1
AVNACLPRLUINSUCNINAH
EPSS
0.33%
24.6th percentile
The Grafana Live push endpoint can be exploited to cause unbounded memory allocation by sending a large or streaming request body, potentially leading to out-of-memory conditions. An authenticated user with access to the Grafana Live API can trigger this issue.
Affected
27 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| grafana | grafana | — | — |
| grafana | grafana | — | — |
| grafana | grafana | — | — |
| grafana | grafana | — | — |
| grafana | grafana | — | — |
| grafana | grafana | — | — |
| grafana | grafana | — | — |
| grafana | grafana | >= 12.0.0 < 12.2.8 | 12.2.8 |
| grafana | grafana | >= 12.3.0 < 12.3.6 | 12.3.6 |
| grafana | grafana | >= 12.4.0 < 12.4.3 | 12.4.3 |
| grafana | grafana | >= 8.0.0 < 11.6.14 | 11.6.14 |
| grafana | grafana_oss | >= 11.6.14 < 11.6.14+security-04 | 11.6.14+security-04 |
| grafana | grafana_oss | 12.0.0 – 12.2.8 | — |
| grafana | grafana_oss | >= 12.2.8 < 12.2.8+security-04 | 12.2.8+security-04 |
| grafana | grafana_oss | 12.3.0 – 12.3.6 | — |
| grafana | grafana_oss | >= 12.3.6 < 12.3.6+security-04 | 12.3.6+security-04 |
| grafana | grafana_oss | 12.4.0 – 12.4.3 | — |
| grafana | grafana_oss | >= 12.4.3 < 12.4.3+security-02 | 12.4.3+security-02 |
| grafana | grafana_oss | 13.0.0 – 13.0.1 | — |
| grafana | grafana_oss | >= 13.0.1 < 13.0.1+security-01 | 13.0.1+security-01 |
| grafana | grafana_oss | 8.0.0 – 11.6.14 | — |
| multicluster-globalhub | multicluster-globalhub-grafana-rhel9 | — | — |
| rhacm2 | acm-grafana-rhel9 | — | — |
| rhceph | grafana-rhel10 | — | — |
| rhceph | grafana-rhel9 | — | — |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Grafana OSS up to 13.0.1+security-00 Live Push Endpoint allocation of resources (WID-SEC-2026-1546)
vuldb·2026-05-16·CVSS 6.5
CVE-2026-28376 [MEDIUM] Grafana OSS up to 13.0.1+security-00 Live Push Endpoint allocation of resources (WID-SEC-2026-1546)
A vulnerability labeled as problematic has been found in Grafana OSS. Affected by this issue is some unknown functionality of the component Live Push Endpoint. Such manipulation leads to allocation of resources.
This vulnerability is documented as CVE-2026-28376. The attack can be executed remotely. There is not any exploit available.
The affected component should be upgraded.
GHSA
GHSA-9mjv-w43g-3xj4: The Grafana Live push endpoint can be exploited to cause unbounded memory allocation by sending a large or streaming request body, potentially leading
ghsa_unreviewed·2026-05-13
CVE-2026-28376 [MEDIUM] CWE-770 GHSA-9mjv-w43g-3xj4: The Grafana Live push endpoint can be exploited to cause unbounded memory allocation by sending a large or streaming request body, potentially leading
The Grafana Live push endpoint can be exploited to cause unbounded memory allocation by sending a large or streaming request body, potentially leading to out-of-memory conditions. An authenticated user with access to the Grafana Live API can trigger this issue.
Red Hat
grafana: Grafana Live: Denial of Service due to unbounded memory allocation via push endpoint
vendor_redhat·2026-05-13·CVSS 6.5
CVE-2026-28376 [MEDIUM] CWE-770 grafana: Grafana Live: Denial of Service due to unbounded memory allocation via push endpoint
grafana: Grafana Live: Denial of Service due to unbounded memory allocation via push endpoint
A flaw was found in Grafana Live. An authenticated user with access to the Grafana Live API can exploit the push endpoint by sending a large or streaming request body. This can lead to unbounded memory allocation, potentially causing out-of-memory conditions and resulting in a Denial of Service (DoS) for the affected system.
Package: multicluster-globalhub/multicluster-globalhub-grafana-rhel9 (Multicluster Global Hub) - Fix deferred
Package: rhacm2/acm-grafana-rhel9 (Red Hat Advanced Cluster Management for Kubernetes 2) - Fix deferred
Package: rhceph/rhceph-5-dashboard-rhel8 (Red Hat Ceph Storage 5) - Not affected
Package: rhceph/rhceph-6-dashboard-rhel9 (Red Hat Ceph Storage 6) - Not affecte
No detection rules found.
No public exploits indexed.
2026-05-13
Published