CVE-2026-33375 Grafana CVE debrief

Who should care

Grafana administrators and users with low privileges should be aware of this vulnerability. A low-privileged user can trigger an Out-Of-Memory crash, which can impact the availability of the Grafana service.

Technical summary

The CVE-2026-33375 vulnerability is caused by a logic flaw in the Grafana MSSQL data source plugin. This flaw allows a low-privileged user (Viewer) to bypass API restrictions. The vulnerability affects multiple versions of Grafana and can be exploited without requiring high privileges or user interaction. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating a Medium severity vulnerability.

Defensive priority

Medium

Recommended defensive actions

• Update Grafana to a version that patches this vulnerability
• Restrict access to the Grafana MSSQL data source plugin
• Monitor Grafana logs for suspicious activity
• Implement additional security measures to prevent low-privileged users from exploiting this vulnerability
• Consider upgrading to a version of Grafana that is not affected by this vulnerability
• Review and update user privileges to prevent low-privileged users from accessing sensitive data

Evidence notes

The information provided is based on the CVE-2026-33375 record and the NVD detail page. The CVE record and NVD detail page provide information on the vulnerability, its severity, and the affected versions of Grafana.

Official resources