Home

Description

Several Grafana API endpoints, some of them unauthenticated, do not limit the size of the request body before processing it. An attacker can send very large payloads that force excessive memory allocation, potentially exhausting memory and causing a denial of service.

PUBLISHED Reserved 2026-03-19 | Published 2026-07-10 | Updated 2026-07-13 | Assigner GRAFANA




HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Problem types

CWE-400

Product status

Default status
unaffected

11.6.0 (semver)
affected

12.2.0 (semver)
affected

12.3.0 (semver)
affected

12.4.0 (semver)
affected

13.0.0 (semver)
affected

References

grafana.com/security/security-advisories/cve-2026-33382 vendor-advisory

cve.org (CVE-2026-33382)

nvd.nist.gov (CVE-2026-33382)

Download JSON