CVE-2026-28376 - Vulnerability Details

- Grafana Live push endpoint allows unbounded memory allocation leading to OOM

Description

The Grafana Live push endpoint can be exploited to cause unbounded memory allocation by sending a large or streaming request body, potentially leading to out-of-memory conditions. An authenticated user with access to the Grafana Live API can trigger this issue.

Published: 2026-05-13

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Grafana Live push endpoint can allocate memory without bounds when an authenticated user sends a large or streaming request body. This uncontrolled allocation can exhaust server memory, causing the Grafana process to terminate or become unresponsive, thereby degrading availability. The flaw is a classic example of unbounded resource consumption, as captured by CWE-770.

Affected Systems

The vulnerability affects Grafana OSS. No specific version ranges are given, so all current and previous releases of Grafana OSS should be considered potentially impacted until an official patch is released.

Risk and Exploitability

The CVSS score is 6.5, indicating a moderate severity. The EPSS score is 0.0004, indicating a very low exploitation probability, and the vulnerability is not listed in CISA KEV. The likely attack vector is through authenticated access to the Live API; the attacker must first have credentials and permissions within Grafana. Once authenticated, the attacker can send arbitrarily large payloads to trigger out-of-memory conditions.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Grafana

Grafana OSS

unaffected

Version	Status	Constraints
`8.0.0`	affected	≤ 11.6.14
`11.6.14`	affected	< 11.6.14+security-04
`12.0.0`	affected	≤ 12.2.8
`12.2.8`	affected	< 12.2.8+security-04
`12.3.0`	affected	≤ 12.3.6
`12.3.6`	affected	< 12.3.6+security-04
`12.4.0`	affected	≤ 12.4.3
`12.4.3`	affected	< 12.4.3+security-02
`13.0.0`	affected	≤ 13.0.1
`13.0.1`	affected	< 13.0.1+security-01

Configuration 1 [-]

OR	cpe:2.3:a:grafana:grafana::::::::
	cpe:2.3:a:grafana:grafana::::::::
	cpe:2.3:a:grafana:grafana::::::::
	cpe:2.3:a:grafana:grafana::::::::
	cpe:2.3:a:grafana:grafana:11.6.14:-::::::
	cpe:2.3:a:grafana:grafana:11.6.14:security01::::::
	cpe:2.3:a:grafana:grafana:12.2.8:-::::::
	cpe:2.3:a:grafana:grafana:12.2.8:security01::::::
	cpe:2.3:a:grafana:grafana:12.3.6:-::::::
	cpe:2.3:a:grafana:grafana:12.3.6:security01::::::
	cpe:2.3:a:grafana:grafana:12.4.3:-::::::
	cpe:2.3:a:grafana:grafana:13.0.0:::::::*
	cpe:2.3:a:grafana:grafana:13.0.1:-::::::

No data.

Vendor Product Confidence Versions

Grafana

88%

Version	Status	Scheme	Platform
`[8.0.0,11.6.14]`	affected	semver	['onprem']
`[11.6.14,11.6.14+security-04)`	affected	semver	['onprem']
`[12.0.0,12.2.8]`	affected	semver	['onprem']
`[12.2.8,12.2.8+security-04)`	affected	semver	['onprem']
`[12.3.0,12.3.6]`	affected	semver	['onprem']
`[12.3.6,12.3.6+security-04)`	affected	semver	['onprem']
`[12.4.0,12.4.3]`	affected	semver	['onprem']
`[12.4.3,12.4.3+security-02)`	affected	semver	['onprem']
`[13.0.0,13.0.1]`	affected	semver	['onprem']
`[13.0.1,13.0.1+security-01)`	affected	semver	['onprem']

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Grafana OSS release or official patch as soon as it becomes available
Restrict access to the Grafana Live API to trusted users or trusted network segments using role‑based controls or IP filtering
Configure the web server or Grafana to limit request body size or impose memory usage quotas to prevent excessive resource consumption

Generated by OpenCVE AI on May 14, 2026 at 21:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00019.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://grafana.com/security/security-advisories/cve-2026-28376
https://nvd.nist.gov/vuln/detail/CVE-2026-28376
https://www.cve.org/CVERecord?id=CVE-2026-28376

History

Thu, 28 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2026-28376 https://www.cve.org/CVERecord?id=CVE-2026-28376
Metrics	threat_severity `None`	threat_severity `Moderate`

Fri, 15 May 2026 18:45:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:grafana:grafana:::::::: cpe:2.3:a:grafana:grafana:11.6.14:-:::::: cpe:2.3:a:grafana:grafana:11.6.14:security01:::::: cpe:2.3:a:grafana:grafana:12.2.8:-:::::: cpe:2.3:a:grafana:grafana:12.2.8:security01:::::: cpe:2.3:a:grafana:grafana:12.3.6:-:::::: cpe:2.3:a:grafana:grafana:12.3.6:security01:::::: cpe:2.3:a:grafana:grafana:12.4.3:-:::::: cpe:2.3:a:grafana:grafana:13.0.0:::::::* cpe:2.3:a:grafana:grafana:13.0.1:-::::::

Thu, 14 May 2026 19:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-770
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 14 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Grafana Grafana grafana
Vendors & Products		Grafana Grafana grafana

Wed, 13 May 2026 20:00:00 +0000

Type	Values Removed	Values Added
Description		The Grafana Live push endpoint can be exploited to cause unbounded memory allocation by sending a large or streaming request body, potentially leading to out-of-memory conditions. An authenticated user with access to the Grafana Live API can trigger this issue.
Title		Grafana Live push endpoint allows unbounded memory allocation leading to OOM
References		https://grafana.com/security/security-advisories/cve-2026-28376
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

Subscriptions

Grafana Grafana

MITRE

Status: PUBLISHED

Assigner: GRAFANA

Published: 2026-05-13T19:28:26.544Z

Updated: 2026-06-12T14:47:11.176Z

Reserved: 2026-02-27T07:16:12.218Z

Link: CVE-2026-28376

Vulnrichment

Updated: 2026-05-14T18:10:47.007Z

NVD

Status : Analyzed

Published: 2026-05-13T20:16:19.760

Modified: 2026-05-18T14:57:04.407

Link: CVE-2026-28376

Redhat

Severity : Moderate

Publid Date: 2026-05-13T19:28:26Z

Links: CVE-2026-28376 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-14T21:15:16Z

Weaknesses

CWE-770
Allocation of Resources Without Limits or Throttling

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object