CVE-2026-33378
Analyzed
Analyzed - Analysis Complete
BaseFortify
Vulnerability report for CVE-2026-33378, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-05-13
Last updated on: 2026-05-28
Assigner: Grafana Labs
Description
Description
Using the $__timeGroup macro, one can achieve an OOM by overloading the server. This requires a SQL datasource. If the server is set up to auto-restart, the impact is minimal or non-existent, as the attack can take upwards of half an hour to crash the server.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| grafana | grafana | From 12.3.0 (inc) to 12.3.6 (exc) |
| grafana | grafana | 11.6.14 |
| grafana | grafana | 12.2.8 |
| grafana | grafana | 12.3.6 |
| grafana | grafana | From 12.4.0 (inc) to 12.4.3 (exc) |
| grafana | grafana | 11.6.14 |
| grafana | grafana | 12.2.8 |
| grafana | grafana | 12.3.6 |
| grafana | grafana | 13.0.0 |
| grafana | grafana | 13.0.1 |
| grafana | grafana | 12.4.3 |
| grafana | grafana | From 12.0.0 (inc) to 12.2.8 (exc) |
| grafana | grafana | From 8.0.0 (inc) to 11.6.14 (exc) |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
