Description
A testdata data-source can be used to trigger out-of-memory crashes in Grafana.
Published: 2026-03-27
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

A Grafana testdata datasource can be leveraged to trigger out‑of‑memory conditions, causing the Grafana application to crash or become unresponsive. The vulnerability results from the datasource's unbounded memory allocation capability, which—when invoked—exceeds available system memory and forces the process to terminate. This effectively denies legitimate users the ability to use Grafana until it is restarted, compromising availability and potentially interrupting dashboards, alerts, and user sessions that rely on the service.

Affected Systems

Grafana is the affected vendor and product. All releases that include the default testdata datasource are impacted until a patch or update is applied. Specific version details are not enumerated in the advisory, so any Grafana instance that has the testdata datasource enabled is considered at risk.

Risk and Exploitability

The CVSS score of 6.5 denotes a medium severity, reflecting the denial‑of‑service potential without granting direct access to secrets or data. The exploit probability (EPSS) is not available, and the vulnerability is not listed in the CISA KEV catalog, indicating no publicly known, widely exploited instances yet. The attack vector is not explicitly detailed; however, it is inferred that an attacker would need the ability to configure or trigger the testdata datasource, which may require authenticated access or public endpoints if exposed. Given the moderate severity and lack of known exploitation, the risk remains noteworthy, especially in environments with high availability requirements.

Generated by OpenCVE AI on March 27, 2026 at 15:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Grafana to the latest version that contains the CVE-2026-28375 fix
  • If an immediate update is not feasible, disable or remove the testdata datasource to block exploitation
  • Restrict user permissions so that only authorized administrators can create or configure data sources
  • Monitor Grafana logs for out‑of‑memory errors or abnormal memory usage linked to the testdata datasource

Generated by OpenCVE AI on March 27, 2026 at 15:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 28 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 27 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400
CWE-770

Fri, 27 Mar 2026 14:45:00 +0000

Type Values Removed Values Added
Description A testdata data-source can be used to trigger out-of-memory crashes in Grafana.
Title Grafana Testdata datasource can issue unbounded memory allocations
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GRAFANA

Published:

Updated: 2026-03-27T14:28:51.768Z

Reserved: 2026-02-27T07:16:12.218Z

Link: CVE-2026-28375

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-27T15:16:51.547

Modified: 2026-03-27T15:16:51.547

Link: CVE-2026-28375

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-27T14:26:19Z

Links: CVE-2026-28375 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T20:28:31Z

Weaknesses