PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-21720 Grafana CVE debrief

CVE-2026-21720 is a HIGH severity vulnerability in Grafana that can lead to memory exhaustion and crashes due to uncached avatar requests. Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three seconds, the handler times out and stops listening for the result, causing the goroutine to block forever. Sustained traffic with random hashes can keep tripping this timeout, causing the goroutine count to grow linearly and eventually exhausting memory. This vulnerability affects multiple versions of Grafana, including 3.0.0 to 11.6.9, 12.0.0 to 12.0.8, 12.1.0 to 12.1.5, and 12.2.0 to 12.2.3. The vulnerability has been publicly disclosed and patched by Grafana.

Vendor
Grafana
Product
grafana/grafana-enterprise
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-01-27
Original CVE updated
2026-06-30
Advisory published
2026-01-27
Advisory updated
2026-06-30

Who should care

Grafana users and administrators should be aware of this vulnerability and take immediate action to patch their installations. This vulnerability can be exploited by sending sustained traffic with random hashes to the /avatar/:hash endpoint, leading to potential denial-of-service (DoS) attacks. Users of Grafana versions 3.0.0 to 11.6.9, 12.0.0 to 12.0.8, 12.1.0 to 12.1.5, and 12.2.0 to 12.2.3 are affected.

Technical summary

The vulnerability is caused by the way Grafana handles uncached /avatar/:hash requests. When a request is made, a goroutine is spawned to refresh the Gravatar image. If the refresh takes longer than three seconds, the handler times out and stops listening for the result, causing the goroutine to block forever. This can lead to a large number of goroutines being created, eventually exhausting memory and causing Grafana to crash. The vulnerability has a CVSS score of 7.5 and is classified as HIGH severity.

Defensive priority

High priority should be given to patching Grafana installations to prevent potential DoS attacks. Administrators should ensure that their installations are updated to a patched version as soon as possible.

Recommended defensive actions

  • Patch Grafana installations to a version that fixes the vulnerability
  • Monitor Grafana logs for suspicious activity
  • Implement rate limiting on /avatar/:hash requests
  • Consider using a caching layer for Gravatar images
  • Review and update Grafana configurations to prevent exploitation

Evidence notes

The vulnerability was publicly disclosed on January 27, 2026, and patched by Grafana on an unspecified date. The CVE record and NVD detail pages provide additional information about the vulnerability, including its CVSS score and affected versions.

Official resources

This article was generated with AI assistance based on the supplied source corpus.