Description
The Grafana MSSQL data source plugin contains a logic flaw that allows a low-privileged user (Viewer) to bypass API restrictions and trigger a catastrophic Out-Of-Memory (OOM) memory exhaustion, crashing the host container.
Published: 2026-03-26
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

The Grafana MSSQL data source plugin has a logic flaw that lets a Viewer‑level user bypass API restrictions and cause the system to consume all available memory, leading to an out‑of‑memory crash of the host container. The vulnerability therefore results in a denial‑of‑service condition, disrupting site availability without affecting the confidentiality of data. The underlying weakness is a lack of proper privilege enforcement in the API layer.

Affected Systems

All Grafana OSS deployments that use the MSSQL data source plugin are affected. Vendor and product information is listed as Grafana OSS; specific product versions are not disclosed in the advisory, so any instance with the plugin should be considered at risk until a patch is applied.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity. EPSS data is not available, and the vulnerability is not currently listed in the CISA KEV catalog. The likely attack vector is exploitation of the Grafana API by a low‑privileged Viewer user; the user only needs access permissions to the Grafana instance and to invoke the API that triggers memory allocation. Once triggered, the container will crash, causing downtime for the service.

Generated by OpenCVE AI on March 26, 2026 at 21:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the patched version of Grafana OSS as described in the vendor advisory.
  • If an upgrade is not immediately possible, disable the MSSQL data source plugin or restrict Viewer users from accessing the relevant API endpoints.
  • Monitor container memory usage for sudden spikes and set alerts for high memory consumption.
  • Verify that other services running in the same container are isolated to limit the impact of a crash.

Generated by OpenCVE AI on March 26, 2026 at 21:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 09:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-640
CWE-788

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Grafana
Grafana grafana
Vendors & Products Grafana
Grafana grafana

Thu, 26 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Description The Grafana MSSQL data source plugin contains a logic flaw that allows a low-privileged user (Viewer) to bypass API restrictions and trigger a catastrophic Out-Of-Memory (OOM) memory exhaustion, crashing the host container.
Title Grafana MSSQL Data Source Plugin: Restriction Bypass Leading to OOM DoS
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Grafana Grafana
cve-icon MITRE

Status: PUBLISHED

Assigner: GRAFANA

Published:

Updated: 2026-03-26T21:41:06.131Z

Reserved: 2026-03-19T07:55:06.977Z

Link: CVE-2026-33375

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-26T21:17:05.573

Modified: 2026-03-26T21:17:05.573

Link: CVE-2026-33375

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:23:39Z

Weaknesses