Description
The OpenFeature feature toggle evaluation endpoint reads unbounded values into memory, which can cause out-of-memory crashes.
Published: 2026-03-27
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

The OpenFeature evaluation endpoint in Grafana reads input data into memory without imposing any limits. This unbounded allocation can exhaust the process memory, leading to an out-of-memory crash and a denial of service for all clients relying on the API. The weakness corresponds to uncontrolled memory allocation (CWE‑770) and also exhibits characteristics of an out-of-bounds write (CWE‑787).

Affected Systems

The flaw is present in all Grafana installations that expose the OpenFeature evaluation API. No specific version information is listed in the CVE data, so any Grafana instance that uses this endpoint is potentially affected.

Risk and Exploitability

The CVSS score of 7.5 reflects a moderate-to-high severity. The EPSS score of less than 1% suggests that exploitation is relatively unlikely at present, and the vulnerability is not yet listed in the CISA KEV catalog. The vulnerability can be exercised by sending a crafted request to the OpenFeature evaluation endpoint over the network, which is inferred from the nature of the API.

Generated by OpenCVE AI on April 2, 2026 at 21:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Grafana to the latest release that fixes the OpenFeature evaluation API memory handling.
  • Restrict network access to the OpenFeature evaluation endpoint, allowing only trusted internal services or IP ranges to invoke it.
  • Configure the application or Grafana to impose a reasonable maximum size for evaluation requests, if such a setting is available.
  • Monitor Grafana logs and metrics for out-of-memory crashes or abnormal memory usage and set alerts accordingly.

Generated by OpenCVE AI on April 2, 2026 at 21:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20

Tue, 31 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-787
CPEs cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Grafana
Grafana grafana
Vendors & Products Grafana
Grafana grafana

Sat, 28 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Fri, 27 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20
CWE-770

Fri, 27 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
Description The OpenFeature feature toggle evaluation endpoint reads unbounded values into memory, which can cause out-of-memory crashes.
Title OpenFeature evaluation API reads input data with no bounds
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Grafana Grafana
cve-icon MITRE

Status: PUBLISHED

Assigner: GRAFANA

Published:

Updated: 2026-04-24T08:00:50.308Z

Reserved: 2026-02-24T14:30:17.727Z

Link: CVE-2026-27880

cve-icon Vulnrichment

Updated: 2026-03-27T14:40:50.982Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-27T15:16:51.323

Modified: 2026-03-31T18:56:37.670

Link: CVE-2026-27880

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-27T14:12:20Z

Links: CVE-2026-27880 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:38:38Z

Weaknesses