CVE-2026-42127

Summary

The public dashboard query endpoint does not limit request body size before processing, allowing unauthenticated attackers to trigger excessive memory allocation by sending arbitrarily large JSON payloads. This can lead to denial of service through memory exhaustion. No valid dashboard access token or authentication is required to exploit this vulnerability.

Affected Software

VendorProductVersion RangeStatus
GrafanaGrafana Enterprise0 <= 11.6.14affected
GrafanaGrafana Enterprise0 <= 12.2.8affected
GrafanaGrafana Enterprise0 <= 12.3.6affected
GrafanaGrafana Enterprise0 <= 12.4.3affected
GrafanaGrafana Enterprise0 <= 13.0.1affected
GrafanaGrafana OSS11.6.0 <= 11.6.14affected
GrafanaGrafana OSS12.2.0 <= 12.2.8affected
GrafanaGrafana OSS12.3.0 <= 12.3.6affected
GrafanaGrafana OSS12.4.0 <= 12.4.3affected
GrafanaGrafana OSS13.0.0 <= 13.0.1affected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References