Grafana

This hub aggregates every CVE we track for Grafana, a product in the enterprise software space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Grafana.

• CVE-2026-28374IDOR in Annotations API allows unprivileged users to DELETE annotation4.3May 13, 2026
• CVE-2026-33378Grafana Data Source Plugin: DoS (OOM) via Negative Interval Injection in $__timeGroup Macro6.5May 13, 2026
• CVE-2026-28383Grafana plugin resources can lead to unbounded memory allocation6.5May 13, 2026
• CVE-2026-33376Auth Proxy IPv6 whitelist bypass7.4May 13, 2026
• CVE-2026-33380SQL Expressions Read File From Disk6.3May 13, 2026
• CVE-2026-28380BAC in Snapshot API allows deletion of unauthorized dashboard snapshots6.5May 13, 2026
• CVE-2026-33381Users can generate Service Account tokens after permissions removal5.9May 13, 2026
• CVE-2026-33377Dashboard Import Overwrites ACL — Editor Privilege Escalation to Dashboard Admin7.1May 13, 2026
• CVE-2026-28376Grafana Live push endpoint allows unbounded memory allocation leading to OOM6.5May 13, 2026
• CVE-2026-28379Viewer-triggered race condition in Grafana Live leads to complete server crash6.5May 13, 2026
• CVE-2026-21727Grafana Correlations: Cross-Tenant Data Disclosure and Permanent Deletion via Legacy org_id=0 Record3.3Apr 15, 2026
• CVE-2025-12141Grafana Alerting Editors can edit destination of webhooks they did not create6.5Apr 15, 2026
• BDU:2026-04993Уязвимости ИИ-модуля платформы для мониторинга и наблюдения Grafana, позволяющая нарушителю обойти существующие механизмы безопасности и раскрыть защищаемую информацию7.5Apr 13, 2026
• CVE-2026-39882OpenTelemetry-Go OTLP HTTP exporters read unbounded HTTP response bodies5.3Apr 8, 2026
• CVE-2026-27879Query resampling can cause unbounded memory allocations6.5Mar 27, 2026