PatchSiren cyber security CVE debrief
CVE-2026-42127 Grafana CVE debrief
CVE-2026-42127 is a high-severity vulnerability in Grafana's public dashboard query endpoint. The endpoint does not limit request body size before processing, allowing unauthenticated attackers to trigger excessive memory allocation by sending large JSON payloads. This can lead to denial of service through memory exhaustion. No valid dashboard access token or authentication is required to exploit this vulnerability. The vulnerability has a CVSS score of 7.5 and is classified as HIGH. The CVE was published on 2026-06-22T18:16:37.430Z and last modified on 2026-06-22T20:19:54.763Z.
- Vendor
- Grafana
- Product
- Grafana Enterprise
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-22
- Original CVE updated
- 2026-06-22
- Advisory published
- 2026-06-22
- Advisory updated
- 2026-06-22
Who should care
Grafana users and administrators should be aware of this vulnerability, as it can be exploited by unauthenticated attackers to cause denial of service. Organizations using Grafana should review their configurations and apply patches or mitigations as needed. Security teams should prioritize patching and monitoring for potential exploitation attempts.
Technical summary
The public dashboard query endpoint in Grafana does not limit request body size before processing, allowing attackers to send large JSON payloads that can cause excessive memory allocation and lead to denial of service. The vulnerability has a CVSS score of 7.5 and is classified as HIGH. The attack vector is network-based, and no authentication or access token is required. The vulnerability affects the Grafana product, but the specific product name is not confirmed.
Defensive priority
High priority should be given to patching or mitigating this vulnerability, as it can be exploited by unauthenticated attackers to cause denial of service. Organizations should review their Grafana configurations and apply patches or mitigations as needed.
Recommended defensive actions
- Review and apply patches or mitigations for the Grafana public dashboard query endpoint vulnerability.
- Monitor for potential exploitation attempts and adjust security controls as needed.
- Verify Grafana configurations and ensure that security best practices are followed.
- Consider implementing additional security controls, such as rate limiting or IP blocking, to prevent exploitation attempts.
- Review and update incident response plans to address potential denial of service attacks.
Evidence notes
The CVE-2026-42127 vulnerability is based on information from the NVD and CVE.org. The vulnerability affects the Grafana product, but the specific product name is not confirmed. The CVSS score is 7.5, and the vulnerability is classified as HIGH. The attack vector is network-based, and no authentication or access token is required.
Official resources
-
CVE-2026-42127 CVE record
CVE.org
-
CVE-2026-42127 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
This article is AI-assisted and based on the supplied source corpus.