CVE-2026-33382

Summary

Several Grafana API endpoints, some of them unauthenticated, do not limit the size of the request body before processing it. An attacker can send very large payloads that force excessive memory allocation, potentially exhausting memory and causing a denial of service.

Affected Software

VendorProductVersion RangeStatus
GrafanaGrafana OSS11.6.0 <= 11.6.14affected
GrafanaGrafana OSS12.2.0 <= 12.2.8affected
GrafanaGrafana OSS12.3.0 <= 12.3.6affected
GrafanaGrafana OSS12.4.0 <= 12.4.3affected
GrafanaGrafana OSS13.0.0 <= 13.0.1affected

Weaknesses

  • CWE-400: CWE-400

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References