cbcvebase.
CVE-2026-28383
published 2026-05-13

CVE-2026-28383: A request to the Grafana plugin resources endpoint can cause unbounded memory allocation by reading the entire request body into memory. An authenticated user…

PriorityP433medium6.5CVSS 3.1
AVNACLPRLUINSUCNINAH
EPSS
0.33%
24.6th percentile
A request to the Grafana plugin resources endpoint can cause unbounded memory allocation by reading the entire request body into memory. An authenticated user can exploit this to trigger an out-of-memory condition, potentially causing a denial of service.

Affected

27 ranges· showing 25
VendorProductVersion rangeFixed in
grafanagrafana
grafanagrafana
grafanagrafana
grafanagrafana
grafanagrafana
grafanagrafana
grafanagrafana
grafanagrafana>= 12.2.0 < 12.2.812.2.8
grafanagrafana>= 12.3.0 < 12.3.612.3.6
grafanagrafana>= 12.4.0 < 12.4.312.4.3
grafanagrafana>= 8.5.0 < 11.6.1411.6.14
grafanagrafana_oss>= 11.6.14 < 11.6.14+security-0411.6.14+security-04
grafanagrafana_oss12.0.0 – 12.2.8
grafanagrafana_oss>= 12.2.8 < 12.2.8+security-0412.2.8+security-04
grafanagrafana_oss12.3.0 – 12.3.6
grafanagrafana_oss>= 12.3.6 < 12.3.6+security-0412.3.6+security-04
grafanagrafana_oss12.4.0 – 12.4.3
grafanagrafana_oss>= 12.4.3 < 12.4.3+security-0212.4.3+security-02
grafanagrafana_oss13.0.0 – 13.0.1
grafanagrafana_oss>= 13.0.1 < 13.0.1+security-0113.0.1+security-01
grafanagrafana_oss6.7.0 – 11.6.14
multicluster-globalhubmulticluster-globalhub-grafana-rhel9
rhacm2acm-grafana-rhel9
rhcephgrafana-rhel10
rhcephgrafana-rhel9

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.