Grafana Grafana Oss
12 CVEs affecting Grafana Grafana Oss. Latest disclosed: 2026-05-13. Critical: 0, High: 2.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2026-33376 | High | 7.4 | 2026-05-13 | When using an IPv6 allow-list for the Auth Proxy feature, it defaults to /32 addresses. Addresses specifying a mask explicitly are not affected; to mitigate ea… |
CVE-2026-33377 | High | 7.1 | 2026-05-13 | An Editor can overwrite a dashboard not owned by them to acquire admin on that specific dashboard. The user must have write access to the dashboard to escalate… |
CVE-2026-33378 | Medium | 6.5 | 2026-05-13 | Using the $__timeGroup macro, one can achieve an OOM by overloading the server. This requires a SQL datasource. If the server is set up to auto-restart, the im… |
CVE-2026-28383 | Medium | 6.5 | 2026-05-13 | A request to the Grafana plugin resources endpoint can cause unbounded memory allocation by reading the entire request body into memory. An authenticated user… |
CVE-2026-28380 | Medium | 6.5 | 2026-05-13 | Any Editor could delete any snapshot, even if they have no access to read or write them. |
CVE-2026-28379 | Medium | 6.5 | 2026-05-13 | A race condition in Grafana Live allows authenticated users with Viewer role to trigger a server crash by sending concurrent requests that cause a fatal map ac… |
CVE-2026-28376 | Medium | 6.5 | 2026-05-13 | The Grafana Live push endpoint can be exploited to cause unbounded memory allocation by sending a large or streaming request body, potentially leading to out-o… |
CVE-2026-33375 | Medium | 6.5 | 2026-03-26 | The Grafana MSSQL data source plugin contains a logic flaw that allows a low-privileged user (Viewer) to bypass API restrictions and trigger a catastrophic Out… |
CVE-2026-33380 | Medium | 6.3 | 2026-05-13 | A vulnerability in SQL Expressions allows an authenticated attacker to read arbitrary files from the Grafana server's filesystem. Only instances with the sqlEx… |
CVE-2026-33381 | Medium | 5.9 | 2026-05-13 | When a user's access to mint tokens for a service account is revoked, it is sometimes still possible to do so for a few seconds after the event. The user will… |
CVE-2026-21724 | Medium | 5.4 | 2026-03-26 | A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify… |
CVE-2026-28374 | Medium | 4.3 | 2026-05-13 | Editors could delete any annotation, even those they do not have read access to. The editor user cannot create or read the annotations. |