CVE-2026-33375
Received Received - Intake
Logic Flaw in Grafana MSSQL Plugin Causes OOM Crash

Publication date: 2026-03-26

Last updated on: 2026-03-31

Assigner: Grafana Labs

Description
The Grafana MSSQL data source plugin contains a logic flaw that allows a low-privileged user (Viewer) to bypass API restrictions and trigger a catastrophic Out-Of-Memory (OOM) memory exhaustion, crashing the host container.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-26
Last Modified
2026-03-31
Generated
2026-06-16
AI Q&A
2026-03-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33375
EUVD
EUVD-2026-16351
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
grafana grafana From 11.6.0 (inc) to 11.6.14 (exc)
grafana grafana From 12.1.0 (inc) to 12.1.10 (exc)
grafana grafana From 12.2.0 (inc) to 12.2.8 (exc)
grafana grafana From 12.3.0 (inc) to 12.3.6 (exc)
grafana grafana From 12.4.0 (inc) to 12.4.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-33375 is a medium-severity vulnerability in the Grafana MSSQL data source plugin. It contains a logic flaw that allows a low-privileged user with the Viewer role to bypass API restrictions.

This flaw enables the attacker to trigger an Out-Of-Memory (OOM) condition, causing memory exhaustion that crashes the host container running Grafana.

Compliance Impact

The vulnerability causes a denial-of-service (DoS) condition by exhausting memory resources and crashing the host container. It does not impact confidentiality or integrity of data.

Since the flaw does not affect data confidentiality or integrity, it is unlikely to directly violate compliance requirements related to data protection standards such as GDPR or HIPAA. However, the resulting service disruption could affect availability requirements under these regulations.

Impact Analysis

The vulnerability can cause a denial-of-service (DoS) condition by exhausting memory resources and crashing the host container running Grafana.

Although it does not impact confidentiality or integrity, the crash can disrupt availability of the Grafana service, potentially affecting monitoring and data visualization operations.

Mitigation Strategies

To mitigate this vulnerability, users are advised to upgrade the Grafana MSSQL data source plugin to one of the fixed versions: 12.4.2, 11.6.14, 12.1.10, 12.2.8, or 12.3.6 or later.

This upgrade will prevent low-privileged users from bypassing API restrictions and triggering the Out-Of-Memory condition that causes the host container to crash.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33375. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart