Known Vulnerabilities for products from Grafana
Listed below are 20 of the newest known vulnerabilities associated with the vendor "Grafana".
These CVEs are retrieved based on exact matches on listed vendor information (CPE data) as well as a keyword search to ensure the newest vulnerabilities with no officially listed vendor information are still displayed.
Data on known vulnerable products is also displayed based on information from known CPEs, each product links to its respective vulnerability page.
Known Vulnerabilities
| CVE | Shortened Description | Severity | Publish Date | Last Modified |
|---|---|---|---|---|
| CVE-2026-33381 json | When a user's access to mint tokens for a service account is revoked, it is sometimes still possible to do so for a few secon... | Not Provided | 2026-05-13 | 2026-06-16 |
| CVE-2026-33380 json | A vulnerability in SQL Expressions allows an authenticated attacker to read arbitrary files from the Grafana server's filesys... | Not Provided | 2026-05-13 | 2026-06-16 |
| CVE-2026-33378 json | Using the $__timeGroup macro, one can achieve an OOM by overloading the server. This requires a SQL datasource. If the server... | Not Provided | 2026-05-13 | 2026-05-28 |
| CVE-2026-33377 json | An Editor can overwrite a dashboard not owned by them to acquire admin on that specific dashboard. The user must have write a... | Not Provided | 2026-05-13 | 2026-06-02 |
| CVE-2026-33376 json | When using an IPv6 allow-list for the Auth Proxy feature, it defaults to /32 addresses. Addresses specifying a mask explicitl... | Not Provided | 2026-05-13 | 2026-06-02 |
| CVE-2026-33375 json | The Grafana MSSQL data source plugin contains a logic flaw that allows a low-privileged user (Viewer) to bypass API restricti... | Not Provided | 2026-03-26 | 2026-03-31 |
| CVE-2026-28383 json | A request to the Grafana plugin resources endpoint can cause unbounded memory allocation by reading the entire request body i... | Not Provided | 2026-05-13 | 2026-06-02 |
| CVE-2026-28381 json | Not Provided | 2026-06-22 | 2026-06-22 | |
| CVE-2026-28380 json | Any Editor could delete any snapshot, even if they have no access to read or write them. | Not Provided | 2026-05-13 | 2026-06-02 |
| CVE-2026-28379 json | Not Provided | 2026-05-13 | 2026-05-14 | |
| CVE-2026-28377 json | Not Provided | 2026-03-26 | 2026-03-27 | |
| CVE-2026-28376 json | Not Provided | 2026-05-13 | 2026-05-14 | |
| CVE-2026-28375 json | Not Provided | 2026-03-27 | 2026-03-31 | |
| CVE-2026-28374 json | Editors could delete any annotation, even those they do not have read access to. The editor user cannot create or read the an... | Not Provided | 2026-05-13 | 2026-06-02 |
| CVE-2026-27880 json | The OpenFeature feature toggle evaluation endpoint reads unbounded values into memory, which can cause out-of-memory crashes. | Not Provided | 2026-03-27 | 2026-05-10 |
| CVE-2026-27879 json | A resample query can be used to trigger out-of-memory crashes in Grafana. | Not Provided | 2026-03-27 | 2026-03-31 |
| CVE-2026-27878 json | Not Provided | 2026-06-19 | 2026-06-19 | |
| CVE-2026-27877 json | When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used i... | Not Provided | 2026-03-27 | 2026-05-10 |
| CVE-2026-27876 json | A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RC... | Not Provided | 2026-03-27 | 2026-04-02 |
| CVE-2026-21727 json | --- title: Cross-Tenant Legacy Correlation Disclosure and Deletion draft: false hero: image: /static/img/heros/hero-legal2.... | Not Provided | 2026-04-15 | 2026-04-20 |
Known software with vulnerabilities from Grafana
| Type | Vendor | Product | Version |
|---|---|---|---|
| Application | Grafana | Grafana | - |
| Application | Grafana | Piechart-panel | 0.0.1 |