{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33375", "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "state": "PUBLISHED", "assignerShortName": "GRAFANA", "dateReserved": "2026-03-19T07:55:06.977Z", "datePublished": "2026-03-26T20:05:52.564Z", "dateUpdated": "2026-05-13T19:28:42.782Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "shortName": "GRAFANA", "dateUpdated": "2026-05-13T19:28:42.782Z"}, "datePublic": "2026-03-26T12:52:32.117Z", "title": "Grafana MSSQL Data Source Plugin: Restriction Bypass Leading to OOM DoS", "descriptions": [{"lang": "en", "value": "The Grafana MSSQL data source plugin contains a logic flaw that allows a low-privileged user (Viewer) to bypass API restrictions and trigger a catastrophic Out-Of-Memory (OOM) memory exhaustion, crashing the host container."}], "affected": [{"vendor": "Grafana", "product": "Grafana OSS", "platforms": ["OnPrem"], "defaultStatus": "unaffected", "versions": [{"version": "11.6.0", "status": "affected", "versionType": "semver", "lessThan": "11.6.14+security-01"}, {"version": "12.1.0", "status": "affected", "versionType": "semver", "lessThan": "12.1.10+security-01"}, {"version": "12.2.0", "status": "affected", "versionType": "semver", "lessThan": "12.2.8+security-01"}, {"version": "12.3.0", "status": "affected", "versionType": "semver", "lessThan": "12.3.6+security-01"}, {"version": "12.4.0", "status": "affected", "versionType": "semver", "lessThan": "12.4.2"}]}], "references": [{"url": "https://grafana.com/security/security-advisories/cve-2026-33375", "tags": ["vendor-advisory"]}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}}], "source": {"discovery": "BUG_BOUNTY"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-400", "lang": "en", "description": "CWE-400 Uncontrolled Resource Consumption"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T14:39:23.654250Z", "id": "CVE-2026-33375", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T14:40:37.122Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33375", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-27T14:39:23.654250Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T14:39:19.947Z"}}], "cna": {"title": "Grafana MSSQL Data Source Plugin: Restriction Bypass Leading to OOM DoS", "source": {"discovery": "BUG_BOUNTY"}, "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}}], "affected": [{"vendor": "Grafana", "product": "Grafana OSS", "versions": [{"status": "affected", "version": "11.6.0", "lessThan": "11.6.14+security-01", "versionType": "semver"}, {"status": "affected", "version": "12.1.0", "lessThan": "12.1.10+security-01", "versionType": "semver"}, {"status": "affected", "version": "12.2.0", "lessThan": "12.2.8+security-01", "versionType": "semver"}, {"status": "affected", "version": "12.3.0", "lessThan": "12.3.6+security-01", "versionType": "semver"}, {"status": "affected", "version": "12.4.0", "lessThan": "12.4.2", "versionType": "semver"}], "platforms": ["OnPrem"], "defaultStatus": "unaffected"}], "datePublic": "2026-03-26T12:52:32.117Z", "references": [{"url": "https://grafana.com/security/security-advisories/cve-2026-33375", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "cvelib 1.8.0"}, "descriptions": [{"lang": "en", "value": "The Grafana MSSQL data source plugin contains a logic flaw that allows a low-privileged user (Viewer) to bypass API restrictions and trigger a catastrophic Out-Of-Memory (OOM) memory exhaustion, crashing the host container."}], "providerMetadata": {"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "shortName": "GRAFANA", "dateUpdated": "2026-05-13T19:28:42.782Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33375", "state": "PUBLISHED", "dateUpdated": "2026-05-13T19:28:42.782Z", "dateReserved": "2026-03-19T07:55:06.977Z", "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "datePublished": "2026-03-26T20:05:52.564Z", "assignerShortName": "GRAFANA"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:-:*:*:*", "matchCriteriaId": "D46EB6A0-D0D1-4209-B7B5-3BACD4ADAF9F", "versionEndExcluding": "11.6.14", "versionStartIncluding": "11.6.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:-:*:*:*", "matchCriteriaId": "C0016311-847E-438D-A1C7-B03005867EAF", "versionEndExcluding": "12.1.10", "versionStartIncluding": "12.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:-:*:*:*", "matchCriteriaId": "96AAB185-6025-4B8F-A07E-CABD00DDC295", "versionEndExcluding": "12.2.8", "versionStartIncluding": "12.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:-:*:*:*", "matchCriteriaId": "581CC6E2-4E52-4E13-804B-8D944BA03D15", "versionEndExcluding": "12.3.6", "versionStartIncluding": "12.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:-:*:*:*", "matchCriteriaId": "A699040D-CF1F-474F-A01D-49C6E62C026B", "versionEndExcluding": "12.4.2", "versionStartIncluding": "12.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Grafana MSSQL data source plugin contains a logic flaw that allows a low-privileged user (Viewer) to bypass API restrictions and trigger a catastrophic Out-Of-Memory (OOM) memory exhaustion, crashing the host container."}, {"lang": "es", "value": "El plugin de fuente de datos de Grafana MSSQL contiene un fallo l\u00f3gico que permite a un usuario con pocos privilegios (Visor) eludir las restricciones de la API y desencadenar un agotamiento catastr\u00f3fico de la memoria por Out-Of-Memory (OOM), lo que provoca la ca\u00edda del contenedor anfitri\u00f3n."}], "id": "CVE-2026-33375", "lastModified": "2026-03-31T19:01:30.800", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security@grafana.com", "type": "Secondary"}]}, "published": "2026-03-26T21:17:05.573", "references": [{"source": "security@grafana.com", "tags": ["Vendor Advisory"], "url": "https://grafana.com/security/security-advisories/cve-2026-33375"}], "sourceIdentifier": "security@grafana.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "Grafana MSSQL Data Source Plugin: Grafana MSSQL Data Source Plugin: Denial of Service via Out-Of-Memory exhaustion", "id": "2451939", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451939"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-770", "details": ["A flaw was found in the Grafana MSSQL Data Source Plugin. A low-privileged user, such as a Viewer, can exploit a logic flaw to bypass API restrictions. This allows them to trigger a catastrophic Out-Of-Memory (OOM) memory exhaustion, leading to the crashing of the host container. This vulnerability can result in a Denial of Service (DoS) for the affected system."], "name": "CVE-2026-33375", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-26T20:05:52Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-33375\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33375\nhttps://grafana.com/security/security-advisories/cve-2026-33375"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": ["onprem"], "status": "affected", "versions": {"scheme": "semver", "value": "[11.6.0,11.6.14+security-01)"}}, {"platform": ["onprem"], "status": "affected", "versions": {"scheme": "semver", "value": "[12.1.0,12.1.10+security-01)"}}, {"platform": ["onprem"], "status": "affected", "versions": {"scheme": "semver", "value": "[12.2.0,12.2.8+security-01)"}}, {"platform": ["onprem"], "status": "affected", "versions": {"scheme": "semver", "value": "[12.3.0,12.3.6+security-01)"}}, {"platform": ["onprem"], "status": "affected", "versions": {"scheme": "semver", "value": "[12.4.0,12.4.2)"}}], "enrichment": {"confidence": 88.0, "confidence_source": "matching", "scores": [{"score": 88.0, "source": "matching"}]}, "original": {"product": "Grafana OSS", "source": "cna", "vendor": "Grafana"}, "product": "grafana", "vendor": "grafana"}], "analysis": {"en": {"generated_at": "2026-04-01T03:52:11.211846+00:00", "value": {"mitigation_remediation": ["Apply the latest patched release of Grafana OSS that addresses the MSSQL data source plugin issue.", "Restrict Users with the Viewer role from accessing the plugin\u2019s API endpoints that can trigger memory exhaustion.", "Enforce container resource limits such as memory and CPU to prevent a single process from exhausting the host.", "Monitor Grafana logs and memory metrics for sudden spikes and investigate anomalous API usage."], "summary": {"action": "Patch Immediately", "impact": "Denial of Service (Out-of-Memory)"}, "threat_synthesis": {"affected_systems": "The affected product is Grafana OSS, specifically the MSSQL data source plugin. No particular version numbers are listed in the advisory or CNA information, so every Grafana OSS deployment that includes the vulnerable plugin should be treated as affected until a patched release is installed.", "description_and_impact": "The Grafana MSSQL data source plugin contains a logic flaw that allows a low\u2011privileged Viewer to bypass API restrictions. An attacker can cause the plugin to consume excessive memory, leading to an Out\u2011of\u2011Memory condition that forces the host container to crash. The weakness is a classic resource exhaustion problem, classified under CWE\u2011400 and CWE\u2011770.", "risk_and_exploitability": "The CVSS score of 6.5 places this issue in the moderate severity range, while the EPSS score of less than 1% indicates a low probability of exploitation in the wild. It is not listed in the CISA KEV catalog. The likely attack vector is inferred to be remote if the Grafana instance is exposed to an attacker, but the requirement is only a Viewer\u2011privileged user with access to the relevant API endpoint. An authenticated internal user with a Viewer role could also trigger the denial of service by invoking the API. The impact is a service disruption that may affect all dashboards dependent on the MSSQL data source."}}}}, "created": "2026-03-27T08:32:10.856927+00:00", "updated": "2026-04-02T07:56:24.109627+00:00", "vendors": ["grafana", "grafana$PRODUCT$grafana"]}