Description
Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three seconds, the handler times out and stops listening for the result, so that goroutine blocks forever trying to send on an unbuffered channel. Sustained traffic with random hashes keeps tripping this timeout, so goroutine count grows linearly, eventually exhausting memory and causing Grafana to crash on some systems.
Published: 2026-01-27
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via resource exhaustion
Action: Immediate Patch
AI Analysis

Impact

Every uncached /avatar/:hash request spawns a goroutine that attempts to refresh the Gravatar image. If the request times out while queued, the goroutine blocks forever on an unbuffered channel, leaking goroutine resources. Sustained traffic with random hashes repeatedly triggers this scenario, causing the goroutine count to grow until memory is exhausted and Grafana terminates. The flaw permits an unauthenticated attacker to exhaust server resources, leading to application crashes.

Affected Systems

Grafana’s open‑source Grafana product and its Grafana Enterprise edition are affected. The issue is present in at least version 12.3.0, as indicated by the CPE strings, and applies to all subsequent releases until a patch is applied.

Risk and Exploitability

With a CVSS score of 7.5, the vulnerability is of medium‑high severity. The EPSS score (<1%) suggests a low probability of exploitation at present, and the flaw has not yet been recorded in CISA’s KEV catalog. Attackers can exploit it by sending unauthenticated /avatar/:hash requests from any host that can reach Grafana, potentially from externally exposed services. Successful exploitation leads to resource exhaustion and denial of service.

Generated by OpenCVE AI on April 15, 2026 at 17:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Grafana to the patched release identified in the Grafana security advisory, such as the latest 12.3.x update.
  • If an upgrade cannot be performed immediately, block or rate limit unauthenticated access to the /avatar/:hash endpoint, or disable Avatar functionality until a patch is applied.
  • Continuously monitor goroutine counts and memory usage for abnormal growth, and restart Grafana services promptly when resource limits are reached.

Generated by OpenCVE AI on April 15, 2026 at 17:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:grafana:grafana:*:*:*:*:-:*:*:*
cpe:2.3:a:grafana:grafana:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:grafana:grafana:12.3.0:*:*:*:-:*:*:*
cpe:2.3:a:grafana:grafana:12.3.0:*:*:*:enterprise:*:*:*

Thu, 12 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
References

Wed, 28 Jan 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-772
References
Metrics threat_severity

None

 threat_severity

Important

Tue, 27 Jan 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Grafana
Grafana grafana
Grafana grafana Enterprise
Vendors & Products Grafana
Grafana grafana
Grafana grafana Enterprise

Tue, 27 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400
CWE-703
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 27 Jan 2026 09:15:00 +0000

Type Values Removed Values Added
Description Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three seconds, the handler times out and stops listening for the result, so that goroutine blocks forever trying to send on an unbuffered channel. Sustained traffic with random hashes keeps tripping this timeout, so goroutine count grows linearly, eventually exhausting memory and causing Grafana to crash on some systems.
Title Unauthenticated DoS: avatar cache leaks goroutines when /avatar/:hash requests time out
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Grafana Grafana Grafana Enterprise
cve-icon MITRE

Status: PUBLISHED

Assigner: GRAFANA

Published:

Updated: 2026-04-24T08:00:48.727Z

Reserved: 2026-01-05T09:26:06.214Z

Link: CVE-2026-21720

cve-icon Vulnrichment

Updated: 2026-01-27T14:27:05.963Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-27T09:15:48.490

Modified: 2026-02-17T20:06:27.733

Link: CVE-2026-21720

cve-icon Redhat

Severity : Important

Publid Date: 2026-01-27T09:07:04Z

Links: CVE-2026-21720 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T18:00:15Z

Weaknesses