BIT-grafana-2026-42127

See a problem?
Import Source
https://github.com/bitnami/vulndb/tree/main/data/grafana/BIT-grafana-2026-42127.json
JSON Data
https://api.osv.dev/v1/vulns/BIT-grafana-2026-42127
Aliases
  • CVE-2026-42127
Published
2026-06-26T08:43:07.401Z
Modified
2026-06-29T15:00:03.946506931Z
Summary
Grafana pre-auth DoS through arbitrarily large input to public dashboard query handler
Details

The public dashboard query endpoint does not limit request body size before processing, allowing unauthenticated attackers to trigger excessive memory allocation by sending arbitrarily large JSON payloads. This can lead to denial of service through memory exhaustion. No valid dashboard access token or authentication is required to exploit this vulnerability.

Database specific
{
    "cpes": [
        "cpe:2.3:a:grafana:grafana:*:*:*:*:enterprise:*:*:*",
        "cpe:2.3:a:grafana:grafana:*:*:*:*:*:go:*:*"
    ],
    "severity": "High"
}
References

Affected packages

Bitnami / grafana

Package

Name
grafana
Purl
pkg:bitnami/grafana

Severity

  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Affected ranges

Type
SEMVER
Events
Introduced
11.6.0
Fixed
11.6.15
Introduced
12.2.0
Fixed
12.2.9
Introduced
12.3.0
Fixed
12.3.7
Introduced
12.4.0
Fixed
12.4.4
Introduced
13.0.0
Fixed
13.0.2

Database specific

source
"https://github.com/bitnami/vulndb/tree/main/data/grafana/BIT-grafana-2026-42127.json"