PatchSiren cyber security CVE debrief
CVE-2026-27880 Grafana CVE debrief
CVE-2026-27880 is a high-severity denial-of-service issue described by NVD as an unbounded-memory read in the OpenFeature feature toggle evaluation endpoint that can lead to out-of-memory crashes. The record is network-exploitable, requires no privileges or user interaction, and is rated 7.5 (HIGH).
- Vendor
- Grafana
- Product
- CVE-2026-27880
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-27
- Original CVE updated
- 2026-05-10
- Advisory published
- 2026-03-27
- Advisory updated
- 2026-05-10
Who should care
Grafana administrators, SRE teams, and security owners running affected Grafana versions, especially where the OpenFeature evaluation endpoint is reachable over the network.
Technical summary
NVD classifies this issue as CWE-787 (Out-of-bounds Write) with a secondary CWE-125 (Out-of-bounds Read), and the supplied description says the endpoint reads unbounded values into memory until the process can be exhausted and crash. The CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) indicates a remotely triggerable availability impact with no required authentication or user interaction. NVD's affected-version criteria include Grafana releases prior to 12.1.0, plus later vulnerable ranges before 12.2.0, 12.3.0, and 12.4.0 as listed in the record.
Defensive priority
High — this is an unauthenticated, network-exploitable crash condition with service availability impact.
Recommended defensive actions
- Review the linked Grafana advisory and compare your deployed Grafana version against the affected NVD CPE ranges.
- Upgrade to a non-vulnerable Grafana release identified by the vendor advisory or NVD before placing the service back into exposed use.
- If immediate upgrading is not possible, restrict network access to the evaluation endpoint and limit who can reach the service.
- Monitor for unusual memory growth, process restarts, and crash loops on affected instances.
- Confirm whether any dependent automation or integrations send large or unexpected values to the evaluation endpoint and apply input-size controls where feasible.
Evidence notes
This debrief is based only on the supplied NVD CVE record and its linked official vendor reference. The record states that the OpenFeature feature toggle evaluation endpoint reads unbounded values into memory, which can cause out-of-memory crashes, and it assigns CVSS 3.1 7.5 HIGH with AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The NVD record also lists CWE-787 and CWE-125 and provides affected-version criteria for Grafana release lines.
Official resources
-
CVE-2026-27880 CVE record
CVE.org
-
CVE-2026-27880 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
CVE published 2026-03-27 and last modified 2026-05-10. No KEV listing was supplied in the provided timeline.