Unauthenticated DoS: avatar cache leaks goroutines when /avatar/:hash requests time out
Summary
| CVE | CVE-2026-21720 |
|---|---|
| State | PUBLISHED |
| Assigner | GRAFANA |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-01-27 09:15:48 UTC |
| Updated | 2026-06-30 03:17:24 UTC |
| Description | Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three seconds, the handler times out and stops listening for the result, so that goroutine blocks forever trying to send on an unbuffered channel. Sustained traffic with random hashes keeps tripping this timeout, so goroutine count grows linearly, eventually exhausting memory and causing Grafana to crash on some systems. |
Risk And Classification
Primary CVSS: v3.1 7.5 HIGH from ADP
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Problem Types: CWE-400 | CWE-703 | CWE-772 | CWE-400 CWE-400 Uncontrolled Resource Consumption | CWE-703 CWE-703 Improper Check or Handling of Exceptional Conditions | CWE-772 Missing Release of Resource after Effective Lifetime
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | ADP | CVSS | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | [email protected] | Secondary | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | Secondary | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | CNA | DECLARED | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
NoneUser Interaction
NoneScope
UnchangedConfidentiality
NoneIntegrity
NoneAvailability
HighCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
NVD Known Affected Configurations (CPE 2.3)
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Grafana | Grafana/grafana-enterprise | affected 3.0.0 11.6.9 semver | Not specified |
| CNA | Grafana | Grafana/grafana-enterprise | affected 3.0.0 12.0.8 semver | Not specified |
| CNA | Grafana | Grafana/grafana-enterprise | affected 3.0.0 12.1.5 semver | Not specified |
| CNA | Grafana | Grafana/grafana | affected 3.0.0 11.6.9 semver | Not specified |
| CNA | Grafana | Grafana/grafana | affected 3.0.0 12.0.8 semver | Not specified |
| CNA | Grafana | Grafana/grafana | affected 3.0.0 12.1.5 semver | Not specified |
| CNA | Grafana | Grafana/grafana-enterprise | affected 3.0.0 12.2.3 semver | Not specified |
| CNA | Grafana | Grafana/grafana | affected 3.0.0 12.2.3 semver | Not specified |
| CNA | Grafana | Grafana/grafana-enterprise | affected 3.0.0 12.3.1 semver | Not specified |
| CNA | Grafana | Grafana/grafana | affected 3.0.0 12.3.1 semver | Not specified |
| ADP | Red Hat | Red Hat Ceph Storage 7 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Ceph Storage 8 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 10 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 8 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 9 | Not specified | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| access.redhat.com/security/cve/CVE-2026-21720 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| grafana.com/security/security-advisories/cve-2026-21720 | [email protected] | grafana.com | Broken Link |
| security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-21720.json | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | security.access.redhat.com | |
| bugzilla.redhat.com/show_bug.cgi | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | bugzilla.redhat.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| ADP | 2026-01-27T10:01:10.677Z | Reported to Red Hat. |
| ADP | 2026-01-27T09:07:04.758Z | Made public. |
There are currently no legacy QID mappings associated with this CVE.