CVE-2026-28376
Analyzed
Analyzed - Analysis Complete
BaseFortify
Vulnerability report for CVE-2026-28376, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-05-13
Last updated on: 2026-05-18
Assigner: Grafana Labs
Description
Description
The Grafana Live push endpoint can be exploited to cause unbounded memory allocation by sending a large or streaming request body, potentially leading to out-of-memory conditions. An authenticated user with access to the Grafana Live API can trigger this issue.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| grafana | grafana | From 12.3.0 (inc) to 12.3.6 (exc) |
| grafana | grafana | 11.6.14 |
| grafana | grafana | 12.2.8 |
| grafana | grafana | 12.3.6 |
| grafana | grafana | From 12.4.0 (inc) to 12.4.3 (exc) |
| grafana | grafana | 11.6.14 |
| grafana | grafana | 12.2.8 |
| grafana | grafana | 12.3.6 |
| grafana | grafana | 13.0.0 |
| grafana | grafana | 13.0.1 |
| grafana | grafana | 12.4.3 |
| grafana | grafana | From 12.0.0 (inc) to 12.2.8 (exc) |
| grafana | grafana | From 8.0.0 (inc) to 11.6.14 (exc) |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
