CVE-2026-8609

Source
https://cve.org/CVERecord?id=CVE-2026-8609
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-8609.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-8609
Aliases
Downstream
Published
2026-07-10T14:58:33.522Z
Modified
2026-07-17T03:41:39.714473979Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
Summary
Pre-authentication denial of service via the OAuth login route
Details

An unauthenticated attacker can repeatedly call Grafana's OAuth login route with unique values, causing unbounded memory growth that can eventually exhaust memory and crash the Grafana instance (denial of service).

Database specific
{
    "cwe_ids": [
        "CWE-400"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/8xxx/CVE-2026-8609.json",
    "cna_assigner": "GRAFANA",
    "unresolved_ranges": [
        {
            "extracted_events": [
                {
                    "introduced": "11.6.0"
                },
                {
                    "last_affected": "11.6.14"
                },
                {
                    "introduced": "12.2.0"
                },
                {
                    "last_affected": "12.2.8"
                },
                {
                    "introduced": "12.3.0"
                },
                {
                    "last_affected": "12.3.6"
                },
                {
                    "introduced": "12.4.0"
                },
                {
                    "last_affected": "12.4.3"
                },
                {
                    "introduced": "13.0.0"
                },
                {
                    "last_affected": "13.0.1"
                }
            ],
            "source": "AFFECTED_FIELD"
        }
    ]
}
References

Affected packages

Git / github.com/grafana/grafana

Affected ranges

Type
GIT
Repo
https://github.com/grafana/grafana
Events
Database specific
{
    "cpe": "cpe:2.3:a:grafana:grafana:*:*:*:*:-:*:*:*",
    "extracted_events": [
        {
            "introduced": "11.6.0"
        },
        {
            "fixed": "11.6.15"
        },
        {
            "introduced": "12.2.0"
        },
        {
            "fixed": "12.2.9"
        },
        {
            "introduced": "12.3.0"
        },
        {
            "fixed": "12.3.7"
        },
        {
            "introduced": "12.4.0"
        },
        {
            "fixed": "12.4.4"
        },
        {
            "introduced": "13.0.0"
        },
        {
            "fixed": "13.0.2"
        }
    ],
    "source": "CPE_RANGE"
}

Affected versions

v11.*
v11.6.0
v11.6.10
v11.6.11
v11.6.12
v11.6.13
v11.6.14
v11.6.14+security-01
v11.6.2
v11.6.4
v11.6.5
v11.6.6
v11.6.7
v11.6.8
v11.6.9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-8609.json"