CVE-2026-28375 Grafana CVE debrief

Who should care

Grafana users and administrators who rely on the testdata data-source should be aware of this vulnerability and take steps to mitigate it. This includes upgrading to a patched version of Grafana or applying recommended mitigations.

Technical summary

The vulnerability is caused by a flaw in the testdata data-source of Grafana, which can be exploited to trigger out-of-memory crashes. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating a medium-severity vulnerability with a high impact on availability. Affected versions of Grafana include those prior to 8.1.0, 11.6.14, 12.0.0, 12.1.10, 12.2.8, and 12.3.6.

Defensive priority

medium

Recommended defensive actions

• Upgrade to a patched version of Grafana (8.1.0 or later, 11.6.14 or later, 12.0.0 or later, 12.1.10 or later, 12.2.8 or later, or 12.3.6 or later)
• Apply recommended mitigations as described in the vendor advisory [ref-4]
• Monitor Grafana logs for signs of out-of-memory crashes
• Implement memory limits and monitoring for Grafana instances
• Restrict access to the testdata data-source to only trusted users
• Regularly review and update Grafana configurations to ensure security best practices are followed
• Consider implementing additional security measures such as rate limiting and IP blocking

Evidence notes

The information provided is based on data from the National Vulnerability Database (NVD) and the CVE.org record. The vulnerability was published on March 27, 2026, and last modified on June 17, 2026. The CVSS score and vector were provided by the NVD.

Official resources