Known Vulnerabilities for products from Grafana
Listed below are 20 of the newest known vulnerabilities associated with the vendor "Grafana".
These CVEs are retrieved based on exact matches on listed vendor information (CPE data) as well as a keyword search to ensure the newest vulnerabilities with no officially listed vendor information are still displayed.
Data on known vulnerable products is also displayed based on information from known CPEs, each product links to its respective vulnerability page.
Known Vulnerabilities
| CVE | Shortened Description | Severity | Publish Date | Last Modified |
|---|---|---|---|---|
| CVE-2026-42129 json | A user with Viewer permissions can use a path traversal in the Loki data source plugin to reach administrative Loki endpoints... | Not Provided | 2026-06-22 | 2026-07-10 |
| CVE-2026-42127 json | The public dashboard query endpoint does not limit request body size before processing, allowing unauthenticated attackers to... | Not Provided | 2026-06-22 | 2026-07-10 |
| CVE-2026-33382 json | Not Provided | 2026-07-10 | 2026-07-10 | |
| CVE-2026-33381 json | When a user's access to mint tokens for a service account is revoked, it is sometimes still possible to do so for a few secon... | Not Provided | 2026-05-13 | 2026-06-16 |
| CVE-2026-33380 json | A vulnerability in SQL Expressions allows an authenticated attacker to read arbitrary files from the Grafana server's filesys... | Not Provided | 2026-05-13 | 2026-06-16 |
| CVE-2026-33378 json | Using the $__timeGroup macro, one can achieve an OOM by overloading the server. This requires a SQL datasource. If the server... | Not Provided | 2026-05-13 | 2026-05-28 |
| CVE-2026-33377 json | An Editor can overwrite a dashboard not owned by them to acquire admin on that specific dashboard. The user must have write a... | Not Provided | 2026-05-13 | 2026-06-02 |
| CVE-2026-33376 json | When using an IPv6 allow-list for the Auth Proxy feature, it defaults to /32 addresses. Addresses specifying a mask explicitl... | Not Provided | 2026-05-13 | 2026-06-02 |
| CVE-2026-33375 json | The Grafana MSSQL data source plugin contains a logic flaw that allows a low-privileged user (Viewer) to bypass API restricti... | Not Provided | 2026-03-26 | 2026-03-31 |
| CVE-2026-28383 json | A request to the Grafana plugin resources endpoint can cause unbounded memory allocation by reading the entire request body i... | Not Provided | 2026-05-13 | 2026-06-02 |
| CVE-2026-28381 json | The Snowflake datasource allows for GET/PUT commands, which can allow any user with access to run queries against the data so... | Not Provided | 2026-06-22 | 2026-06-30 |
| CVE-2026-28380 json | Any Editor could delete any snapshot, even if they have no access to read or write them. | Not Provided | 2026-05-13 | 2026-06-02 |
| CVE-2026-28379 json | A race condition in Grafana Live allows authenticated users with Viewer role to trigger a server crash by sending concurrent ... | Not Provided | 2026-05-13 | 2026-06-02 |
| CVE-2026-28378 json | The public dashboard deletion endpoint does not enforce organization isolation, allowing an Org Admin in one organization to ... | Not Provided | 2026-07-07 | 2026-07-10 |
| CVE-2026-28377 json | A vulnerability in Grafana Tempo exposes the S3 SSE-C encryption key in plaintext through the /status/config endpoint, potent... | Not Provided | 2026-03-26 | 2026-03-31 |
| CVE-2026-28376 json | The Grafana Live push endpoint can be exploited to cause unbounded memory allocation by sending a large or streaming request ... | Not Provided | 2026-05-13 | 2026-05-18 |
| CVE-2026-28375 json | A testdata data-source can be used to trigger out-of-memory crashes in Grafana. | Not Provided | 2026-03-27 | 2026-03-31 |
| CVE-2026-28374 json | Editors could delete any annotation, even those they do not have read access to. The editor user cannot create or read the an... | Not Provided | 2026-05-13 | 2026-06-02 |
| CVE-2026-27880 json | The OpenFeature feature toggle evaluation endpoint reads unbounded values into memory, which can cause out-of-memory crashes. | Not Provided | 2026-03-27 | 2026-06-30 |
| CVE-2026-27879 json | A resample query can be used to trigger out-of-memory crashes in Grafana. | Not Provided | 2026-03-27 | 2026-03-31 |
Known software with vulnerabilities from Grafana
| Type | Vendor | Product | Version |
|---|---|---|---|
| Application | Grafana | Grafana | - |
| Application | Grafana | Piechart-panel | 0.0.1 |