Common Vulnerabilities and Exposures (CVE)

CVE-2026-21721

Jul 13, 2026 13:27:23 UTC

The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other...

CVE-2026-8595

Jul 13, 2026 13:27:22 UTC

A user with Editor permissions can craft a dashboard whose table (TableNG) panel contains a malicious field name that executes as a script in the browser of any user who views the dashboard (stored cross-site scripting).

CVE-2026-42129

Jul 13, 2026 13:27:21 UTC

A user with Viewer permissions can use a path traversal in the Loki data source plugin to reach administrative Loki endpoints and read sensitive backend configuration and internal service information.

CVE-2026-21724

Jul 13, 2026 13:27:20 UTC

A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the required alert.notifications.receivers.protec...

CVE-2026-28374

Jul 13, 2026 13:27:19 UTC

Editors could delete any annotation, even those they do not have read access to. The editor user cannot create or read the annotations.

CVE-2026-33376

Jul 13, 2026 13:27:18 UTC

When using an IPv6 allow-list for the Auth Proxy feature, it defaults to /32 addresses. Addresses specifying a mask explicitly are not affected; to mitigate easily, add the desired mask (usually /128) to the addresses. Only auth proxy is af...

CVE-2026-27879

Jul 13, 2026 13:27:17 UTC

A resample query can be used to trigger out-of-memory crashes in Grafana.

CVE-2026-42127

Jul 13, 2026 13:27:16 UTC

The public dashboard query endpoint does not limit request body size before processing, allowing unauthenticated attackers to trigger excessive memory allocation by sending arbitrarily large JSON payloads. This can lead to denial of service...

CVE-2026-28375

Jul 13, 2026 13:27:15 UTC

A testdata data-source can be used to trigger out-of-memory crashes in Grafana.

CVE-2026-28379

Jul 13, 2026 13:27:14 UTC

A race condition in Grafana Live allows authenticated users with Viewer role to trigger a server crash by sending concurrent requests that cause a fatal map access error. This results in complete service unavailability requiring restart of ...

CVE-2026-33378

Jul 13, 2026 13:27:13 UTC

Using the $__timeGroup macro, one can achieve an OOM by overloading the server. This requires a SQL datasource. If the server is set up to auto-restart, the impact is minimal or non-existent, as the attack can take upwards of half an hour t...

CVE-2026-21727

Jul 13, 2026 13:27:13 UTC

--- title: Cross-Tenant Legacy Correlation Disclosure and Deletion draft: false hero: image: /static/img/heros/hero-legal2.svg content: "# Cross-Tenant Legacy Correlation Disclosure and Deletion" date: 2026-01-29 product: Grafana severi...

CVE-2026-28377

Jul 13, 2026 13:27:12 UTC

A vulnerability in Grafana Tempo exposes the S3 SSE-C encryption key in plaintext through the /status/config endpoint, potentially allowing unauthorized users to obtain the key used to encrypt trace data stored in S3. Thanks to william_goo...

CVE-2026-8609

Jul 13, 2026 13:27:11 UTC

An unauthenticated attacker can repeatedly call Grafana's OAuth login route with unique values, causing unbounded memory growth that can eventually exhaust memory and crash the Grafana instance (denial of service).

CVE-2026-57744

Jul 13, 2026 13:27:11 UTC

Deserialization of Untrusted Data vulnerability in stmcan RT-Theme 18 | Extensions rt18-extensions allows Object Injection.This issue affects RT-Theme 18 | Extensions: from n/a through <= 2.5.