CVE-2026-33375
Logic Flaw in Grafana MSSQL Plugin Causes OOM Crash
Publication date: 2026-03-26
Last updated on: 2026-03-31
Assigner: Grafana Labs
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| grafana | grafana | From 11.6.0 (inc) to 11.6.14 (exc) |
| grafana | grafana | From 12.1.0 (inc) to 12.1.10 (exc) |
| grafana | grafana | From 12.2.0 (inc) to 12.2.8 (exc) |
| grafana | grafana | From 12.3.0 (inc) to 12.3.6 (exc) |
| grafana | grafana | From 12.4.0 (inc) to 12.4.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33375 is a medium-severity vulnerability in the Grafana MSSQL data source plugin. It contains a logic flaw that allows a low-privileged user with the Viewer role to bypass API restrictions.
This flaw enables the attacker to trigger an Out-Of-Memory (OOM) condition, causing memory exhaustion that crashes the host container running Grafana.
How can this vulnerability impact me? :
The vulnerability can cause a denial-of-service (DoS) condition by exhausting memory resources and crashing the host container running Grafana.
Although it does not impact confidentiality or integrity, the crash can disrupt availability of the Grafana service, potentially affecting monitoring and data visualization operations.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, users are advised to upgrade the Grafana MSSQL data source plugin to one of the fixed versions: 12.4.2, 11.6.14, 12.1.10, 12.2.8, or 12.3.6 or later.
This upgrade will prevent low-privileged users from bypassing API restrictions and triggering the Out-Of-Memory condition that causes the host container to crash.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability causes a denial-of-service (DoS) condition by exhausting memory resources and crashing the host container. It does not impact confidentiality or integrity of data.
Since the flaw does not affect data confidentiality or integrity, it is unlikely to directly violate compliance requirements related to data protection standards such as GDPR or HIPAA. However, the resulting service disruption could affect availability requirements under these regulations.