CVE-2026-28383
published 2026-05-13CVE-2026-28383: A request to the Grafana plugin resources endpoint can cause unbounded memory allocation by reading the entire request body into memory. An authenticated user…
PriorityP433medium6.5CVSS 3.1
AVNACLPRLUINSUCNINAH
EPSS
0.33%
24.6th percentile
A request to the Grafana plugin resources endpoint can cause unbounded memory allocation by reading the entire request body into memory. An authenticated user can exploit this to trigger an out-of-memory condition, potentially causing a denial of service.
Affected
27 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| grafana | grafana | — | — |
| grafana | grafana | — | — |
| grafana | grafana | — | — |
| grafana | grafana | — | — |
| grafana | grafana | — | — |
| grafana | grafana | — | — |
| grafana | grafana | — | — |
| grafana | grafana | >= 12.2.0 < 12.2.8 | 12.2.8 |
| grafana | grafana | >= 12.3.0 < 12.3.6 | 12.3.6 |
| grafana | grafana | >= 12.4.0 < 12.4.3 | 12.4.3 |
| grafana | grafana | >= 8.5.0 < 11.6.14 | 11.6.14 |
| grafana | grafana_oss | >= 11.6.14 < 11.6.14+security-04 | 11.6.14+security-04 |
| grafana | grafana_oss | 12.0.0 – 12.2.8 | — |
| grafana | grafana_oss | >= 12.2.8 < 12.2.8+security-04 | 12.2.8+security-04 |
| grafana | grafana_oss | 12.3.0 – 12.3.6 | — |
| grafana | grafana_oss | >= 12.3.6 < 12.3.6+security-04 | 12.3.6+security-04 |
| grafana | grafana_oss | 12.4.0 – 12.4.3 | — |
| grafana | grafana_oss | >= 12.4.3 < 12.4.3+security-02 | 12.4.3+security-02 |
| grafana | grafana_oss | 13.0.0 – 13.0.1 | — |
| grafana | grafana_oss | >= 13.0.1 < 13.0.1+security-01 | 13.0.1+security-01 |
| grafana | grafana_oss | 6.7.0 – 11.6.14 | — |
| multicluster-globalhub | multicluster-globalhub-grafana-rhel9 | — | — |
| rhacm2 | acm-grafana-rhel9 | — | — |
| rhceph | grafana-rhel10 | — | — |
| rhceph | grafana-rhel9 | — | — |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
grafana: Grafana: Denial of Service via unbounded memory allocation in plugin resources endpoint
vendor_redhat·2026-05-13·CVSS 6.5
CVE-2026-28383 [MEDIUM] CWE-770 grafana: Grafana: Denial of Service via unbounded memory allocation in plugin resources endpoint
grafana: Grafana: Denial of Service via unbounded memory allocation in plugin resources endpoint
A flaw was found in Grafana. An authenticated user can exploit a vulnerability in the plugin resources endpoint by sending a request that causes unbounded memory allocation. This occurs when the system attempts to read the entire request body into memory. Successful exploitation can lead to an out-of-memory condition, resulting in a denial of service (DoS) for the system.
Package: multicluster-globalhub/multicluster-globalhub-grafana-rhel9 (Multicluster Global Hub) - Fix deferred
Package: rhacm2/acm-grafana-rhel9 (Red Hat Advanced Cluster Management for Kubernetes 2) - Fix deferred
Package: rhceph/rhceph-5-dashboard-rhel8 (Red Hat Ceph Storage 5) - Not affected
Package: rhceph/rhceph-6-das
VulDB
Grafana OSS up to 13.0.1+security-00 Grafana Plugin Resources Endpoint denial of service (WID-SEC-2026-1546)
vuldb·2026-05-16·CVSS 6.5
CVE-2026-28383 [MEDIUM] Grafana OSS up to 13.0.1+security-00 Grafana Plugin Resources Endpoint denial of service (WID-SEC-2026-1546)
A vulnerability, which was classified as problematic, has been found in Grafana OSS. The affected element is an unknown function of the component Grafana Plugin Resources Endpoint. This manipulation causes denial of service.
This vulnerability is handled as CVE-2026-28383. The attack can be initiated remotely. There is not any exploit available.
It is advisable to upgrade the affected component.
GHSA
GHSA-9mfc-92xm-c5mf: A request to the Grafana plugin resources endpoint can cause unbounded memory allocation by reading the entire request body into memory
ghsa_unreviewed·2026-05-13
CVE-2026-28383 [MEDIUM] CWE-770 GHSA-9mfc-92xm-c5mf: A request to the Grafana plugin resources endpoint can cause unbounded memory allocation by reading the entire request body into memory
A request to the Grafana plugin resources endpoint can cause unbounded memory allocation by reading the entire request body into memory. An authenticated user can exploit this to trigger an out-of-memory condition, potentially causing a denial of service.
No detection rules found.
No public exploits indexed.
2026-05-13
Published