{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28375", "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "state": "PUBLISHED", "assignerShortName": "GRAFANA", "dateReserved": "2026-02-27T07:16:12.218Z", "datePublished": "2026-03-27T14:26:19.270Z", "dateUpdated": "2026-05-13T19:28:25.189Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "shortName": "GRAFANA", "dateUpdated": "2026-05-13T19:28:25.189Z"}, "datePublic": "2026-03-27T14:23:47.094Z", "title": "Grafana Testdata datasource can issue unbounded memory allocations", "descriptions": [{"lang": "en", "value": "A testdata data-source can be used to trigger out-of-memory crashes in Grafana."}], "affected": [{"vendor": "Grafana", "product": "Grafana", "platforms": ["OnPrem"], "defaultStatus": "unaffected", "versions": [{"version": "8.1.0", "status": "affected", "versionType": "semver", "lessThan": "11.6.14"}, {"version": "12.0.0", "status": "affected", "versionType": "semver", "lessThan": "12.1.10"}, {"version": "12.2.0", "status": "affected", "versionType": "semver", "lessThan": "12.2.8"}, {"version": "12.3.0", "status": "affected", "versionType": "semver", "lessThan": "12.3.6"}, {"version": "12.4.0", "status": "affected", "versionType": "semver", "lessThan": "12.4.2"}]}], "references": [{"url": "https://grafana.com/security/security-advisories/cve-2026-28375", "tags": ["vendor-advisory"]}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}}], "source": {"discovery": "INTERNAL_FINDING"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-400", "lang": "en", "description": "CWE-400 Uncontrolled Resource Consumption"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-31T15:00:57.773116Z", "id": "CVE-2026-28375", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T15:01:14.243Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28375", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-31T15:00:57.773116Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T15:01:09.359Z"}}], "cna": {"title": "Grafana Testdata datasource can issue unbounded memory allocations", "source": {"discovery": "INTERNAL_FINDING"}, "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}}], "affected": [{"vendor": "Grafana", "product": "Grafana", "versions": [{"status": "affected", "version": "8.1.0", "lessThan": "11.6.14", "versionType": "semver"}, {"status": "affected", "version": "12.0.0", "lessThan": "12.1.10", "versionType": "semver"}, {"status": "affected", "version": "12.2.0", "lessThan": "12.2.8", "versionType": "semver"}, {"status": "affected", "version": "12.3.0", "lessThan": "12.3.6", "versionType": "semver"}, {"status": "affected", "version": "12.4.0", "lessThan": "12.4.2", "versionType": "semver"}], "platforms": ["OnPrem"], "defaultStatus": "unaffected"}], "datePublic": "2026-03-27T14:23:47.094Z", "references": [{"url": "https://grafana.com/security/security-advisories/cve-2026-28375", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "cvelib 1.8.0"}, "descriptions": [{"lang": "en", "value": "A testdata data-source can be used to trigger out-of-memory crashes in Grafana."}], "providerMetadata": {"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "shortName": "GRAFANA", "dateUpdated": "2026-05-13T19:28:25.189Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28375", "state": "PUBLISHED", "dateUpdated": "2026-05-13T19:28:25.189Z", "dateReserved": "2026-02-27T07:16:12.218Z", "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "datePublished": "2026-03-27T14:26:19.270Z", "assignerShortName": "GRAFANA"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*", "matchCriteriaId": "3D7C388A-A7A0-4ED2-B0D4-3D9440B59F17", "versionEndExcluding": "8.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*", "matchCriteriaId": "5845D5E9-8631-4F0B-B100-24DCDE4C8C1F", "versionEndExcluding": "12.0.0", "versionStartIncluding": "11.6.14", "vulnerable": true}, {"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*", "matchCriteriaId": "AE3F977F-FF94-4A15-918C-54241EC49560", "versionEndExcluding": "12.2.0", "versionStartIncluding": "12.1.10", "vulnerable": true}, {"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*", "matchCriteriaId": "CB499815-0B44-4BF9-AB14-F7272EF0173F", "versionEndExcluding": "12.3.0", "versionStartIncluding": "12.2.8", "vulnerable": true}, {"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*", "matchCriteriaId": "7F2B145A-24E0-4C0F-BF82-FFD2B1301B51", "versionEndExcluding": "12.4.0", "versionStartIncluding": "12.3.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A testdata data-source can be used to trigger out-of-memory crashes in Grafana."}], "id": "CVE-2026-28375", "lastModified": "2026-03-31T18:15:45.243", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security@grafana.com", "type": "Secondary"}]}, "published": "2026-03-27T15:16:51.547", "references": [{"source": "security@grafana.com", "tags": ["Vendor Advisory"], "url": "https://grafana.com/security/security-advisories/cve-2026-28375"}], "sourceIdentifier": "security@grafana.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "grafana: Grafana: Denial of Service via testdata data-source", "id": "2452279", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452279"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-770", "details": ["A flaw was found in Grafana. A remote attacker with low privileges could exploit this vulnerability by using a specially crafted testdata data-source. This could trigger out-of-memory crashes, leading to a Denial of Service (DoS)."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-28375", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-27T14:26:19Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-28375\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-28375\nhttps://grafana.com/security/security-advisories/cve-2026-28375"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": ["onprem"], "status": "affected", "versions": {"scheme": "semver", "value": "[8.1.0,11.6.14)"}}, {"platform": ["onprem"], "status": "affected", "versions": {"scheme": "semver", "value": "[12.0.0,12.1.10)"}}, {"platform": ["onprem"], "status": "affected", "versions": {"scheme": "semver", "value": "[12.2.0,12.2.8)"}}, {"platform": ["onprem"], "status": "affected", "versions": {"scheme": "semver", "value": "[12.3.0,12.3.6)"}}, {"platform": ["onprem"], "status": "affected", "versions": {"scheme": "semver", "value": "[12.4.0,12.4.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Grafana", "source": "cna", "vendor": "Grafana"}, "product": "grafana", "vendor": "grafana"}], "analysis": {"en": {"generated_at": "2026-03-31T19:28:55.625180+00:00", "value": {"mitigation_remediation": ["Apply the latest Grafana patch.", "Disable the testdata datasource if not needed.", "Monitor Grafana logs for out-of-memory events."], "summary": {"action": "Patch", "impact": "Out-of-memory crash causing denial of service"}, "threat_synthesis": {"affected_systems": "The vulnerability applies to Grafana, the monitoring and observability platform. Specific affected versions are not listed in the advisory; therefore, all released Grafana packages should be treated as vulnerable until a version that addresses the issue is identified.", "description_and_impact": "A testdata data\u2011source can trigger unbounded memory allocations within Grafana, causing out\u2011of\u2011memory crashes that lead to a denial of service. The weakness is a resource exhaustion flaw, classified as CWE\u2011400 (Uncontrolled Resource Consumption) and CWE\u2011770 (Allocation of Resources on Demand). When triggered, the application terminates, potentially impacting all users connected to the affected instance.", "risk_and_exploitability": "The CVSS score of 6.5 indicates medium severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, implying no publicly known exploits at this time. The attack vector is inferred to be local or authenticated access to Grafana's configuration interface, where an attacker can create or modify a testdata datasource to produce the unbounded memory allocation. Any system that allows testdata datasources to be defined is therefore at risk."}}}}, "created": "2026-03-27T20:28:31.124969+00:00", "updated": "2026-03-31T20:01:11.772340+00:00", "vendors": ["grafana", "grafana$PRODUCT$grafana"]}