CVE-2026-33382

Source
https://cve.org/CVERecord?id=CVE-2026-33382
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33382.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-33382
Aliases
Downstream
Published
2026-07-10T14:58:23.329Z
Modified
2026-07-16T03:48:26.751929345Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Denial of service via unbounded request body size
Details

Several Grafana API endpoints, some of them unauthenticated, do not limit the size of the request body before processing it. An attacker can send very large payloads that force excessive memory allocation, potentially exhausting memory and causing a denial of service.

Database specific
{
    "cna_assigner": "GRAFANA",
    "cwe_ids": [
        "CWE-400"
    ],
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "introduced": "11.6.0"
                },
                {
                    "last_affected": "11.6.14"
                },
                {
                    "introduced": "12.2.0"
                },
                {
                    "last_affected": "12.2.8"
                },
                {
                    "introduced": "12.3.0"
                },
                {
                    "last_affected": "12.3.6"
                },
                {
                    "introduced": "12.4.0"
                },
                {
                    "last_affected": "12.4.3"
                },
                {
                    "introduced": "13.0.0"
                },
                {
                    "last_affected": "13.0.1"
                }
            ]
        }
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33382.json"
}
References

Affected packages

Git / github.com/grafana/grafana

Affected ranges

Type
GIT
Repo
https://github.com/grafana/grafana
Events
Database specific
{
    "source": "CPE_RANGE",
    "cpe": "cpe:2.3:a:grafana:grafana:*:*:*:*:-:*:*:*",
    "extracted_events": [
        {
            "introduced": "11.6.0"
        },
        {
            "fixed": "11.6.15"
        },
        {
            "introduced": "12.2.0"
        },
        {
            "fixed": "12.2.9"
        },
        {
            "introduced": "12.3.0"
        },
        {
            "fixed": "12.3.7"
        },
        {
            "introduced": "12.4.0"
        },
        {
            "fixed": "12.4.4"
        },
        {
            "introduced": "13.0.0"
        },
        {
            "fixed": "13.0.2"
        }
    ]
}

Affected versions

v11.*
v11.6.0
v11.6.10
v11.6.11
v11.6.12
v11.6.13
v11.6.14
v11.6.14+security-01
v11.6.2
v11.6.4
v11.6.5
v11.6.6
v11.6.7
v11.6.8
v11.6.9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33382.json"