Description
The public dashboard query endpoint does not limit request body size before processing, allowing unauthenticated attackers to trigger excessive memory allocation by sending arbitrarily large JSON payloads. This can lead to denial of service through memory exhaustion. No valid dashboard access token or authentication is required to exploit this vulnerability.
Published: 2026-06-22
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Grafana’s public dashboard query endpoint fails to impose a limit on the size of the request body before processing it. An unauthenticated attacker can send a JSON payload of arbitrary size, causing the server to allocate large amounts of memory and eventually exhaust available resources, resulting in a denial of service. The weakness relies on inadequate resource control and can affect both Grafana Enterprise and Grafana OSS installations. The impact is a loss of availability for any client that sends a large payload, potentially affecting all users sharing the same hosting environment.

Affected Systems

The vulnerability is disclosed for Grafana Enterprise and Grafana OSS. No specific version numbers are provided in the release notes or advisory, so all currently running instances may be susceptible until a patched release is applied.

Risk and Exploitability

The CVSS score of 7.5 classifies this issue as high severity, indicating that a successful exploit can cause significant disruption. While the EPSS score is not reported, the lack of an authentication requirement and the possibility of triggering memory exhaustion remotely increase the likelihood of exploitation in an open or misconfigured environment. The vulnerability is not currently listed in CISA’s KEV catalog, but due to its high impact it should be treated with priority. It can be exploited simply by targeting the public dashboard query URL with a crafted request, meaning the attack surface is wide and requires no special privileges.

Generated by OpenCVE AI on June 22, 2026 at 18:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Grafana to the latest patched release once available
  • Configure reverse proxy or API gateway to enforce a maximum request body size for dashboard queries
  • Add application-level checks to reject payloads exceeding a defined threshold
  • Implement monitoring to detect unusually large requests and block offending IPs

Generated by OpenCVE AI on June 22, 2026 at 18:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 22 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400

Mon, 22 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Description The public dashboard query endpoint does not limit request body size before processing, allowing unauthenticated attackers to trigger excessive memory allocation by sending arbitrarily large JSON payloads. This can lead to denial of service through memory exhaustion. No valid dashboard access token or authentication is required to exploit this vulnerability.
Title Grafana pre-auth DoS through arbitrarily large input to public dashboard query handler
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GRAFANA

Published:

Updated: 2026-06-22T17:28:35.835Z

Reserved: 2026-04-24T15:38:08.066Z

Link: CVE-2026-42127

cve-icon Vulnrichment

Updated: 2026-06-22T17:28:30.549Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T18:30:15Z

Weaknesses
  • CWE-400

    Uncontrolled Resource Consumption

  • CWE-770

    Allocation of Resources Without Limits or Throttling