CVE-2026-28383 | THREATINT

Description

A request to the Grafana plugin resources endpoint can cause unbounded memory allocation by reading the entire request body into memory. An authenticated user can exploit this to trigger an out-of-memory condition, potentially causing a denial of service.

PUBLISHED Reserved 2026-02-27 | Published 2026-05-13 | Updated 2026-05-14 | Assigner GRAFANA

MEDIUM: 6.5CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Product status

Default status

unaffected

6.7.0 (semver)

affected

11.6.14 (custom) before 11.6.14+security-04

affected

12.0.0 (semver)

affected

12.2.8 (custom) before 12.2.8+security-04

affected

12.3.0 (semver)

affected

12.3.6 (custom) before 12.3.6+security-04

affected

12.4.0 (semver)

affected

12.4.3 (custom) before 12.4.3+security-02

affected

13.0.0 (semver)

affected

13.0.1 (custom) before 13.0.1+security-01

affected

References

grafana.com/security/security-advisories/cve-2026-28383 vendor-advisory

cve.org (CVE-2026-28383)

nvd.nist.gov (CVE-2026-28383)

Download JSON