PatchSiren cyber security CVE debrief
CVE-2026-28376 Grafana CVE debrief
CVE-2026-28376 is a medium-severity (CVSS 6.5) denial-of-service vulnerability in Grafana affecting multiple versions. The Grafana Live push endpoint fails to properly limit request body sizes, allowing authenticated attackers to trigger unbounded memory allocation through large or streaming requests, potentially causing out-of-memory conditions. The vulnerability requires low attack complexity and low privileges (authenticated user with Grafana Live API access), with no user interaction needed. Affected versions span 8.0.0 through 11.6.14, 12.0.0 through 12.2.8, 12.3.0 through 12.3.6, 12.4.0 through 12.4.3, and early 13.x versions (13.0.0, 13.0.1). Patched versions include 11.6.14, 12.2.8, 12.3.6, and 12.4.3 (including security01 variants), with fixes integrated into subsequent releases. The root cause is improper resource allocation without size limits (CWE-770). Organizations should upgrade to patched versions or apply vendor-provided mitigations.
- Vendor
- Grafana
- Product
- Grafana OSS
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-13
- Original CVE updated
- 2026-05-18
- Advisory published
- 2026-05-13
- Advisory updated
- 2026-05-18
Who should care
Organizations running Grafana versions 8.0.0 through 12.4.3 or early 13.x (13.0.0, 13.0.1) with Grafana Live enabled. Priority for environments where Grafana is exposed to multiple authenticated users or where availability is critical.
Technical summary
The Grafana Live push endpoint accepts request bodies without enforced size limits. An authenticated user can submit large or streaming payloads that cause unbounded memory allocation, leading to out-of-memory conditions and denial of service. The vulnerability is remotely exploitable with low privileges and no user interaction required.
Defensive priority
medium
Recommended defensive actions
- Upgrade Grafana to patched versions: 11.6.14, 12.2.8, 12.3.6, 12.4.3, or later
- If immediate patching is not feasible, restrict Grafana Live API access to trusted authenticated users only
- Monitor Grafana instance memory utilization for anomalous spikes that may indicate exploitation attempts
- Review and apply any additional vendor mitigations from the Grafana security advisory
Evidence notes
CVE published 2026-05-13; NVD entry modified 2026-05-18. CPE data confirms affected version ranges from 8.0.0 through multiple 12.x branches and early 13.x. CVSS vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H confirms network-accessible, low-privilege, high-availability-impact classification. Vendor advisory tagged as authoritative source.
Official resources
-
CVE-2026-28376 CVE record
CVE.org
-
CVE-2026-28376 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
2026-05-13