Search criteria
ⓘ
Use full-text search for keyword queries.
Combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by dates instead of relevance.
4 vulnerabilities found for Grafana OSS by Grafana
CVE-2026-33375 (GCVE-0-2026-33375)
Vulnerability from nvd – Published: 2026-03-26 20:05 – Updated: 2026-04-02 15:25
VLAI?
Title
Grafana MSSQL Data Source Plugin: Restriction Bypass Leading to OOM DoS
Summary
The Grafana MSSQL data source plugin contains a logic flaw that allows a low-privileged user (Viewer) to bypass API restrictions and trigger a catastrophic Out-Of-Memory (OOM) memory exhaustion, crashing the host container.
Severity ?
6.5 (Medium)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Grafana | Grafana OSS |
Affected:
11.6.0 , < 11.6.14+security-01
(semver)
Affected: 12.1.0 , < 12.1.10+security-01 (semver) Affected: 12.2.0 , < 12.2.8+security-01 (semver) Affected: 12.3.0 , < 12.3.6+security-01 (semver) Affected: 12.4.0 , < 12.4.2 (semver) |
Date Public ?
2026-03-26 12:52
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33375",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-27T14:39:23.654250Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T14:40:37.122Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"OnPrem"
],
"product": "Grafana OSS",
"vendor": "Grafana",
"versions": [
{
"lessThan": "11.6.14+security-01",
"status": "affected",
"version": "11.6.0",
"versionType": "semver"
},
{
"lessThan": "12.1.10+security-01",
"status": "affected",
"version": "12.1.0",
"versionType": "semver"
},
{
"lessThan": "12.2.8+security-01",
"status": "affected",
"version": "12.2.0",
"versionType": "semver"
},
{
"lessThan": "12.3.6+security-01",
"status": "affected",
"version": "12.3.0",
"versionType": "semver"
},
{
"lessThan": "12.4.2",
"status": "affected",
"version": "12.4.0",
"versionType": "semver"
}
]
}
],
"datePublic": "2026-03-26T12:52:32.117Z",
"descriptions": [
{
"lang": "en",
"value": "The Grafana MSSQL data source plugin contains a logic flaw that allows a low-privileged user (Viewer) to bypass API restrictions and trigger a catastrophic Out-Of-Memory (OOM) memory exhaustion, crashing the host container."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T15:25:39.207Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2026-33375"
}
],
"source": {
"discovery": "BUG_BOUNTY"
},
"title": "Grafana MSSQL Data Source Plugin: Restriction Bypass Leading to OOM DoS",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2026-33375",
"datePublished": "2026-03-26T20:05:52.564Z",
"dateReserved": "2026-03-19T07:55:06.977Z",
"dateUpdated": "2026-04-02T15:25:39.207Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-21724 (GCVE-0-2026-21724)
Vulnerability from nvd – Published: 2026-03-26 20:06 – Updated: 2026-04-02 15:25
VLAI?
Title
Missing Protected-field Authorization in Provisioning Contact Points API
Summary
A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the required alert.notifications.receivers.protected:write permission.
Severity ?
5.4 (Medium)
CWE
- CWE-285 - Improper Authorization
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Grafana | Grafana OSS |
Affected:
12.3.1 , < 12.3.6
(semver)
Affected: 12.2.2 , < 12.2.8 (semver) Affected: 12.1.5 , < 12.1.10 (semver) Affected: 11.6.9 , < 11.6.14 (semver) |
Date Public ?
2026-03-25 22:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-21724",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-27T13:42:43.732342Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285 Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T13:56:12.761Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"OnPrem"
],
"product": "Grafana OSS",
"vendor": "Grafana",
"versions": [
{
"lessThan": "12.3.6",
"status": "affected",
"version": "12.3.1",
"versionType": "semver"
},
{
"lessThan": "12.2.8",
"status": "affected",
"version": "12.2.2",
"versionType": "semver"
},
{
"lessThan": "12.1.10",
"status": "affected",
"version": "12.1.5",
"versionType": "semver"
},
{
"lessThan": "11.6.14",
"status": "affected",
"version": "11.6.9",
"versionType": "semver"
}
]
}
],
"datePublic": "2026-03-25T22:00:37.352Z",
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the required alert.notifications.receivers.protected:write permission."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T15:25:42.559Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2026-21724"
}
],
"source": {
"discovery": "BUG_BOUNTY"
},
"title": "Missing Protected-field Authorization in Provisioning Contact Points API",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2026-21724",
"datePublished": "2026-03-26T20:06:18.829Z",
"dateReserved": "2026-01-05T09:26:06.214Z",
"dateUpdated": "2026-04-02T15:25:42.559Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-21724 (GCVE-0-2026-21724)
Vulnerability from cvelistv5 – Published: 2026-03-26 20:06 – Updated: 2026-04-02 15:25
VLAI?
Title
Missing Protected-field Authorization in Provisioning Contact Points API
Summary
A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the required alert.notifications.receivers.protected:write permission.
Severity ?
5.4 (Medium)
CWE
- CWE-285 - Improper Authorization
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Grafana | Grafana OSS |
Affected:
12.3.1 , < 12.3.6
(semver)
Affected: 12.2.2 , < 12.2.8 (semver) Affected: 12.1.5 , < 12.1.10 (semver) Affected: 11.6.9 , < 11.6.14 (semver) |
Date Public ?
2026-03-25 22:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-21724",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-27T13:42:43.732342Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285 Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T13:56:12.761Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"OnPrem"
],
"product": "Grafana OSS",
"vendor": "Grafana",
"versions": [
{
"lessThan": "12.3.6",
"status": "affected",
"version": "12.3.1",
"versionType": "semver"
},
{
"lessThan": "12.2.8",
"status": "affected",
"version": "12.2.2",
"versionType": "semver"
},
{
"lessThan": "12.1.10",
"status": "affected",
"version": "12.1.5",
"versionType": "semver"
},
{
"lessThan": "11.6.14",
"status": "affected",
"version": "11.6.9",
"versionType": "semver"
}
]
}
],
"datePublic": "2026-03-25T22:00:37.352Z",
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the required alert.notifications.receivers.protected:write permission."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T15:25:42.559Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2026-21724"
}
],
"source": {
"discovery": "BUG_BOUNTY"
},
"title": "Missing Protected-field Authorization in Provisioning Contact Points API",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2026-21724",
"datePublished": "2026-03-26T20:06:18.829Z",
"dateReserved": "2026-01-05T09:26:06.214Z",
"dateUpdated": "2026-04-02T15:25:42.559Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33375 (GCVE-0-2026-33375)
Vulnerability from cvelistv5 – Published: 2026-03-26 20:05 – Updated: 2026-04-02 15:25
VLAI?
Title
Grafana MSSQL Data Source Plugin: Restriction Bypass Leading to OOM DoS
Summary
The Grafana MSSQL data source plugin contains a logic flaw that allows a low-privileged user (Viewer) to bypass API restrictions and trigger a catastrophic Out-Of-Memory (OOM) memory exhaustion, crashing the host container.
Severity ?
6.5 (Medium)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Grafana | Grafana OSS |
Affected:
11.6.0 , < 11.6.14+security-01
(semver)
Affected: 12.1.0 , < 12.1.10+security-01 (semver) Affected: 12.2.0 , < 12.2.8+security-01 (semver) Affected: 12.3.0 , < 12.3.6+security-01 (semver) Affected: 12.4.0 , < 12.4.2 (semver) |
Date Public ?
2026-03-26 12:52
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33375",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-27T14:39:23.654250Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T14:40:37.122Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"OnPrem"
],
"product": "Grafana OSS",
"vendor": "Grafana",
"versions": [
{
"lessThan": "11.6.14+security-01",
"status": "affected",
"version": "11.6.0",
"versionType": "semver"
},
{
"lessThan": "12.1.10+security-01",
"status": "affected",
"version": "12.1.0",
"versionType": "semver"
},
{
"lessThan": "12.2.8+security-01",
"status": "affected",
"version": "12.2.0",
"versionType": "semver"
},
{
"lessThan": "12.3.6+security-01",
"status": "affected",
"version": "12.3.0",
"versionType": "semver"
},
{
"lessThan": "12.4.2",
"status": "affected",
"version": "12.4.0",
"versionType": "semver"
}
]
}
],
"datePublic": "2026-03-26T12:52:32.117Z",
"descriptions": [
{
"lang": "en",
"value": "The Grafana MSSQL data source plugin contains a logic flaw that allows a low-privileged user (Viewer) to bypass API restrictions and trigger a catastrophic Out-Of-Memory (OOM) memory exhaustion, crashing the host container."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T15:25:39.207Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2026-33375"
}
],
"source": {
"discovery": "BUG_BOUNTY"
},
"title": "Grafana MSSQL Data Source Plugin: Restriction Bypass Leading to OOM DoS",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2026-33375",
"datePublished": "2026-03-26T20:05:52.564Z",
"dateReserved": "2026-03-19T07:55:06.977Z",
"dateUpdated": "2026-04-02T15:25:39.207Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}