PatchSiren cyber security CVE debrief
CVE-2026-21720 Grafana CVE debrief
CVE-2026-21720 is a HIGH severity vulnerability in Grafana that can lead to memory exhaustion and crashes due to uncached avatar requests. Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three seconds, the handler times out and stops listening for the result, causing the goroutine to block forever. Sustained traffic with random hashes can keep tripping this timeout, causing the goroutine count to grow linearly and eventually exhausting memory. This vulnerability affects multiple versions of Grafana, including 3.0.0 to 11.6.9, 12.0.0 to 12.0.8, 12.1.0 to 12.1.5, and 12.2.0 to 12.2.3. The vulnerability has been publicly disclosed and patched by Grafana.
- Vendor
- Grafana
- Product
- grafana/grafana-enterprise
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-01-27
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-01-27
- Advisory updated
- 2026-06-30
Who should care
Grafana users and administrators should be aware of this vulnerability and take immediate action to patch their installations. This vulnerability can be exploited by sending sustained traffic with random hashes to the /avatar/:hash endpoint, leading to potential denial-of-service (DoS) attacks. Users of Grafana versions 3.0.0 to 11.6.9, 12.0.0 to 12.0.8, 12.1.0 to 12.1.5, and 12.2.0 to 12.2.3 are affected.
Technical summary
The vulnerability is caused by the way Grafana handles uncached /avatar/:hash requests. When a request is made, a goroutine is spawned to refresh the Gravatar image. If the refresh takes longer than three seconds, the handler times out and stops listening for the result, causing the goroutine to block forever. This can lead to a large number of goroutines being created, eventually exhausting memory and causing Grafana to crash. The vulnerability has a CVSS score of 7.5 and is classified as HIGH severity.
Defensive priority
High priority should be given to patching Grafana installations to prevent potential DoS attacks. Administrators should ensure that their installations are updated to a patched version as soon as possible.
Recommended defensive actions
- Patch Grafana installations to a version that fixes the vulnerability
- Monitor Grafana logs for suspicious activity
- Implement rate limiting on /avatar/:hash requests
- Consider using a caching layer for Gravatar images
- Review and update Grafana configurations to prevent exploitation
Evidence notes
The vulnerability was publicly disclosed on January 27, 2026, and patched by Grafana on an unspecified date. The CVE record and NVD detail pages provide additional information about the vulnerability, including its CVSS score and affected versions.
Official resources
-
CVE-2026-21720 CVE record
CVE.org
-
CVE-2026-21720 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
[email protected] - Broken Link
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article was generated with AI assistance based on the supplied source corpus.