What is CVE-2026-42127?

CVE-2026-42127 is a high-severity vulnerability in Grafana Enterprise, classified under Allocation of Resources Without Limits or Throttling. CVSS score: 7.5/10. Published 2026-06-22.

How severe is CVE-2026-42127?

High severity. CVSS v3 base score is 7.5 out of 10.

Resource exhaustion in Grafana Enterprise

CVE-2026-42127

The public dashboard query endpoint does not limit request body size before processing, allowing unauthenticated attackers to trigger excessive memory allocation by sending arbitrarily large JSON payloads. This can lead to denial of servic…

CVSS v3 metric

CVSS v3 base score 7.5 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.

Affected products

Grafana Enterprise — versions 0
Grafana Oss — versions 11.6.0, 12.2.0, 12.3.0

Weakness classification (CWE)

CWE-770 — Allocation of Resources Without Limits or Throttling

References

security@grafana.com (vendor-advisory)

Frequently asked questions

What is CVE-2026-42127?: CVE-2026-42127 is a high-severity vulnerability in Grafana Enterprise, classified under Allocation of Resources Without Limits or Throttling. CVSS score: 7.5/10. Published 2026-06-22.
How severe is CVE-2026-42127?: High severity. CVSS v3 base score is 7.5 out of 10.