Refine your search
2 vulnerabilities found for Grafana OSS by Grafana
CVE-2026-21724 (GCVE-0-2026-21724)
Vulnerability from cvelistv5
Published
2026-03-26 20:06
Modified
2026-04-15 19:25
Severity ?
VLAI Severity ?
EPSS score ?
Summary
A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the required alert.notifications.receivers.protected:write permission.
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Grafana | Grafana OSS |
Version: 12.3.1 ≤ Version: 12.2.2 ≤ Version: 12.1.5 ≤ Version: 11.6.9 ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-21724",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-27T13:42:43.732342Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285 Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T13:56:12.761Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"OnPrem"
],
"product": "Grafana OSS",
"vendor": "Grafana",
"versions": [
{
"lessThan": "12.3.6",
"status": "affected",
"version": "12.3.1",
"versionType": "semver"
},
{
"lessThan": "12.2.8",
"status": "affected",
"version": "12.2.2",
"versionType": "semver"
},
{
"lessThan": "12.1.10",
"status": "affected",
"version": "12.1.5",
"versionType": "semver"
},
{
"lessThan": "11.6.14",
"status": "affected",
"version": "11.6.9",
"versionType": "semver"
}
]
}
],
"datePublic": "2026-03-25T22:00:37.352Z",
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the required alert.notifications.receivers.protected:write permission."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-15T19:25:06.401Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2026-21724"
}
],
"source": {
"discovery": "BUG_BOUNTY"
},
"title": "Missing Protected-field Authorization in Provisioning Contact Points API",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2026-21724",
"datePublished": "2026-03-26T20:06:18.829Z",
"dateReserved": "2026-01-05T09:26:06.214Z",
"dateUpdated": "2026-04-15T19:25:06.401Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33375 (GCVE-0-2026-33375)
Vulnerability from cvelistv5
Published
2026-03-26 20:05
Modified
2026-04-15 19:25
Severity ?
VLAI Severity ?
EPSS score ?
Summary
The Grafana MSSQL data source plugin contains a logic flaw that allows a low-privileged user (Viewer) to bypass API restrictions and trigger a catastrophic Out-Of-Memory (OOM) memory exhaustion, crashing the host container.
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Grafana | Grafana OSS |
Version: 11.6.0 ≤ Version: 12.1.0 ≤ Version: 12.2.0 ≤ Version: 12.3.0 ≤ Version: 12.4.0 ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33375",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-27T14:39:23.654250Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T14:40:37.122Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"OnPrem"
],
"product": "Grafana OSS",
"vendor": "Grafana",
"versions": [
{
"lessThan": "11.6.14+security-01",
"status": "affected",
"version": "11.6.0",
"versionType": "semver"
},
{
"lessThan": "12.1.10+security-01",
"status": "affected",
"version": "12.1.0",
"versionType": "semver"
},
{
"lessThan": "12.2.8+security-01",
"status": "affected",
"version": "12.2.0",
"versionType": "semver"
},
{
"lessThan": "12.3.6+security-01",
"status": "affected",
"version": "12.3.0",
"versionType": "semver"
},
{
"lessThan": "12.4.2",
"status": "affected",
"version": "12.4.0",
"versionType": "semver"
}
]
}
],
"datePublic": "2026-03-26T12:52:32.117Z",
"descriptions": [
{
"lang": "en",
"value": "The Grafana MSSQL data source plugin contains a logic flaw that allows a low-privileged user (Viewer) to bypass API restrictions and trigger a catastrophic Out-Of-Memory (OOM) memory exhaustion, crashing the host container."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-15T19:25:09.166Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2026-33375"
}
],
"source": {
"discovery": "BUG_BOUNTY"
},
"title": "Grafana MSSQL Data Source Plugin: Restriction Bypass Leading to OOM DoS",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2026-33375",
"datePublished": "2026-03-26T20:05:52.564Z",
"dateReserved": "2026-03-19T07:55:06.977Z",
"dateUpdated": "2026-04-15T19:25:09.166Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}