cbcvebase.

Grafana Oss vulnerabilities

15 known vulnerabilities affecting grafana/grafana_oss.

Total CVEs
15
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH4MEDIUM11

Vulnerabilities

Page 1 of 1
CVE-2026-33381P3HIGHCVSS 8.1≥ 9.2.0, ≤ 11.6.14≥ 11.6.14, < 11.6.14+security-04+8 more2026-05-13
CVE-2026-33381 [HIGH] CWE-284 CVE-2026-33381: When a user's access to mint tokens for a service account is revoked, it is sometimes still possible When a user's access to mint tokens for a service account is revoked, it is sometimes still possible to do so for a few seconds after the event. The user will eventually lose access to do this.
nvd
CVE-2026-42127P3HIGHCVSS 7.5≥ 11.6.0, ≤ 11.6.14≥ 12.2.0, ≤ 12.2.8+3 more2026-06-22
CVE-2026-42127 [HIGH] CWE-770 CVE-2026-42127: The public dashboard query endpoint does not limit request body size before processing, allowing una The public dashboard query endpoint does not limit request body size before processing, allowing unauthenticated attackers to trigger excessive memory allocation by sending arbitrarily large JSON payloads. This can lead to denial of service through memory exhaustion. No valid dashboard access token or authentication is required to exploit this vulnera
nvd
CVE-2026-33376P3HIGHCVSS 7.4≥ 9.4.0, ≤ 11.6.14≥ 11.6.14, < 11.6.14+security-04+8 more2026-05-13
CVE-2026-33376 [HIGH] CWE-1188 CVE-2026-33376: When using an IPv6 allow-list for the Auth Proxy feature, it defaults to /32 addresses. Addresses sp When using an IPv6 allow-list for the Auth Proxy feature, it defaults to /32 addresses. Addresses specifying a mask explicitly are not affected; to mitigate easily, add the desired mask (usually /128) to the addresses. Only auth proxy is affected; Okta, SAML, LDAP, etc are unaffected here.
nvd
CVE-2026-33380P3MEDIUMCVSS 6.5≥ 11.6.0, ≤ 11.6.14≥ 11.6.14, < 11.6.14+security-04+8 more2026-05-13
CVE-2026-33380 [MEDIUM] CWE-552 CVE-2026-33380: A vulnerability in SQL Expressions allows an authenticated attacker to read arbitrary files from the A vulnerability in SQL Expressions allows an authenticated attacker to read arbitrary files from the Grafana server's filesystem. Only instances with the sqlExpressions feature toggle enabled are vulnerable.
nvd
CVE-2026-33377P3HIGHCVSS 7.1≥ 8.5.0, ≤ 11.6.14≥ 11.6.14, < 11.6.14+security-04+8 more2026-05-13
CVE-2026-33377 [HIGH] CWE-287 CVE-2026-33377: An Editor can overwrite a dashboard not owned by them to acquire admin on that specific dashboard. T An Editor can overwrite a dashboard not owned by them to acquire admin on that specific dashboard. The user must have write access to the dashboard to escalate privilege.
nvd
CVE-2023-0507P3MEDIUMCVSS 5.4v12.4.02023-03-01
CVE-2023-0507 [MEDIUM] CWE-79 CVE-2023-0507: Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch, Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch, Grafana had a stored XSS vulnerability affecting the core plugin GeoMap. The stored XSS vulnerability was possible due to map attributions weren't properly sanitized and allowed arbitrary JavaScript to be executed in the context of the currently authorize
nvd
CVE-2026-33375P3MEDIUMCVSS 6.5≥ 11.6.0, < 11.6.14+security-01≥ 12.1.0, < 12.1.10+security-01+3 more2026-03-26
CVE-2026-33375 [MEDIUM] CWE-400 CVE-2026-33375: The Grafana MSSQL data source plugin contains a logic flaw that allows a low-privileged user (Viewer The Grafana MSSQL data source plugin contains a logic flaw that allows a low-privileged user (Viewer) to bypass API restrictions and trigger a catastrophic Out-Of-Memory (OOM) memory exhaustion, crashing the host container.
nvd
CVE-2026-28376P3MEDIUMCVSS 6.5≥ 8.0.0, ≤ 11.6.14≥ 11.6.14, < 11.6.14+security-04+8 more2026-05-13
CVE-2026-28376 [MEDIUM] CWE-770 CVE-2026-28376: The Grafana Live push endpoint can be exploited to cause unbounded memory allocation by sending a la The Grafana Live push endpoint can be exploited to cause unbounded memory allocation by sending a large or streaming request body, potentially leading to out-of-memory conditions. An authenticated user with access to the Grafana Live API can trigger this issue.
nvd
CVE-2026-33378P3MEDIUMCVSS 6.5≥ 8.0.0, ≤ 11.6.14≥ 11.6.14, < 11.6.14+security-04+8 more2026-05-13
CVE-2026-33378 [MEDIUM] CWE-400 CVE-2026-33378: Using the $__timeGroup macro, one can achieve an OOM by overloading the server. This requires a SQL Using the $__timeGroup macro, one can achieve an OOM by overloading the server. This requires a SQL datasource. If the server is set up to auto-restart, the impact is minimal or non-existent, as the attack can take upwards of half an hour to crash the server.
nvd
CVE-2026-28380P3MEDIUMCVSS 6.5≥ 9.4.0, ≤ 11.6.14≥ 11.6.14, < 11.6.14+security-04+8 more2026-05-13
CVE-2026-28380 [MEDIUM] CWE-862 CVE-2026-28380: Any Editor could delete any snapshot, even if they have no access to read or write them. Any Editor could delete any snapshot, even if they have no access to read or write them.
nvd
CVE-2026-28379P4MEDIUMCVSS 6.5≥ 8.2.0, ≤ 11.6.14≥ 11.6.14, < 11.6.14+security-04+8 more2026-05-13
CVE-2026-28379 [MEDIUM] CWE-362 CVE-2026-28379: A race condition in Grafana Live allows authenticated users with Viewer role to trigger a server cra A race condition in Grafana Live allows authenticated users with Viewer role to trigger a server crash by sending concurrent requests that cause a fatal map access error. This results in complete service unavailability requiring restart of the Grafana server.
nvd
CVE-2026-28383P4MEDIUMCVSS 6.5≥ 6.7.0, ≤ 11.6.14≥ 11.6.14, < 11.6.14+security-04+8 more2026-05-13
CVE-2026-28383 [MEDIUM] CWE-770 CVE-2026-28383: A request to the Grafana plugin resources endpoint can cause unbounded memory allocation by reading A request to the Grafana plugin resources endpoint can cause unbounded memory allocation by reading the entire request body into memory. An authenticated user can exploit this to trigger an out-of-memory condition, potentially causing a denial of service.
nvd
CVE-2026-10601P4MEDIUMCVSS 4.3v11.6.02026-06-22
CVE-2026-10601 [MEDIUM] CWE-22 CVE-2026-10601: The Tempo and Loki datasource plugins construct backend HTTP requests by interpolating user-supplied The Tempo and Loki datasource plugins construct backend HTTP requests by interpolating user-supplied input into URL paths without sanitization, enabling path traversal. A Viewer-role user can: (1) capture admin-configured datasource credentials (secureJsonData custom headers) by traversing to an attacker-controlled endpoint, (2) invoke state-changing
nvd
CVE-2026-21724P4MEDIUMCVSS 4.3≥ 12.3.1, < 12.3.6≥ 12.2.2, < 12.2.8+2 more2026-03-26
CVE-2026-21724 [MEDIUM] CWE-285 CVE-2026-21724: A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the required alert.notifications.receivers.protected:write permission.
nvd
CVE-2026-28374P4MEDIUMCVSS 4.3≥ 8.5.0, ≤ 11.6.14≥ 11.6.14, < 11.6.14+security-04+8 more2026-05-13
CVE-2026-28374 [MEDIUM] CWE-284 CVE-2026-28374: Editors could delete any annotation, even those they do not have read access to. The editor user can Editors could delete any annotation, even those they do not have read access to. The editor user cannot create or read the annotations.
nvd
Grafana Oss vulnerabilities | cvebase