CVE-2026-8609

Summary

An unauthenticated attacker can repeatedly call Grafana's OAuth login route with unique values, causing unbounded memory growth that can eventually exhaust memory and crash the Grafana instance (denial of service).

Affected Software

VendorProductVersion RangeStatus
GrafanaGrafana OSS11.6.0 <= 11.6.14affected
GrafanaGrafana OSS12.2.0 <= 12.2.8affected
GrafanaGrafana OSS12.3.0 <= 12.3.6affected
GrafanaGrafana OSS12.4.0 <= 12.4.3affected
GrafanaGrafana OSS13.0.0 <= 13.0.1affected

Weaknesses

  • CWE-400: CWE-400

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References