{"api_version":"1","generated_at":"2026-07-10T18:11:24+00:00","cve":"CVE-2026-33382","urls":{"html":"https://cve.report/CVE-2026-33382","api":"https://cve.report/api/cve/CVE-2026-33382.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-33382","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-33382"},"summary":{"title":"Denial of service via unbounded request body size","description":"Several Grafana API endpoints, some of them unauthenticated, do not limit the size of the request body before processing it. An attacker can send very large payloads that force excessive memory allocation, potentially exhausting memory and causing a denial of service.","state":"PUBLISHED","assigner":"GRAFANA","published_at":"2026-07-10 16:16:29","updated_at":"2026-07-10 18:01:31"},"problem_types":["CWE-400","CWE-400 CWE-400"],"metrics":[{"version":"3.1","source":"security@grafana.com","type":"Secondary","score":"7.5","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"7.5","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","data":{"baseScore":7.5,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"}}],"references":[{"url":"https://grafana.com/security/security-advisories/cve-2026-33382","name":"https://grafana.com/security/security-advisories/cve-2026-33382","refsource":"security@grafana.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-33382","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33382","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Grafana","product":"Grafana OSS","version":"affected 11.6.0 11.6.14 semver","platforms":[]},{"source":"CNA","vendor":"Grafana","product":"Grafana OSS","version":"affected 12.2.0 12.2.8 semver","platforms":[]},{"source":"CNA","vendor":"Grafana","product":"Grafana OSS","version":"affected 12.3.0 12.3.6 semver","platforms":[]},{"source":"CNA","vendor":"Grafana","product":"Grafana OSS","version":"affected 12.4.0 12.4.3 semver","platforms":[]},{"source":"CNA","vendor":"Grafana","product":"Grafana OSS","version":"affected 13.0.0 13.0.1 semver","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-33382","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-07-10T15:59:38.846803Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-07-10T15:59:43.742Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"Grafana OSS","vendor":"Grafana","versions":[{"lessThanOrEqual":"11.6.14","status":"affected","version":"11.6.0","versionType":"semver"},{"lessThanOrEqual":"12.2.8","status":"affected","version":"12.2.0","versionType":"semver"},{"lessThanOrEqual":"12.3.6","status":"affected","version":"12.3.0","versionType":"semver"},{"lessThanOrEqual":"12.4.3","status":"affected","version":"12.4.0","versionType":"semver"},{"lessThanOrEqual":"13.0.1","status":"affected","version":"13.0.0","versionType":"semver"}]}],"datePublic":"2026-06-09T00:00:00.000Z","descriptions":[{"lang":"en","value":"Several Grafana API endpoints, some of them unauthenticated, do not limit the size of the request body before processing it. An attacker can send very large payloads that force excessive memory allocation, potentially exhausting memory and causing a denial of service."}],"metrics":[{"cvssV3_1":{"baseScore":7.5,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-400","description":"CWE-400","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-07-10T15:40:06.071Z","orgId":"57da9224-a3e2-4646-9d0e-c4dc2e05e7da","shortName":"GRAFANA"},"references":[{"tags":["vendor-advisory"],"url":"https://grafana.com/security/security-advisories/cve-2026-33382"}],"source":{"discovery":"INTERNAL_FINDING"},"title":"Denial of service via unbounded request body size","x_generator":{"engine":"cvelib 1.8.0"}}},"cveMetadata":{"assignerOrgId":"57da9224-a3e2-4646-9d0e-c4dc2e05e7da","assignerShortName":"GRAFANA","cveId":"CVE-2026-33382","datePublished":"2026-07-10T14:58:23.329Z","dateReserved":"2026-03-19T07:55:06.978Z","dateUpdated":"2026-07-10T15:59:43.742Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-07-10 16:16:29","lastModifiedDate":"2026-07-10 18:01:31","problem_types":["CWE-400","CWE-400 CWE-400"],"metrics":{"cvssMetricV31":[{"source":"security@grafana.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-07-10T15:59:38.846803Z","id":"CVE-2026-33382","options":[{"exploitation":"none"},{"automatable":"yes"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"33382","Ordinal":"1","Title":"Denial of service via unbounded request body size","CVE":"CVE-2026-33382","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"33382","Ordinal":"1","NoteData":"Several Grafana API endpoints, some of them unauthenticated, do not limit the size of the request body before processing it. An attacker can send very large payloads that force excessive memory allocation, potentially exhausting memory and causing a denial of service.","Type":"Description","Title":"Denial of service via unbounded request body size"}]}}}