CVE-2026-42127
Modified
Modified - Updated After Analysis
Memory Exhaustion in Grafana Public Dashboard Query Endpoint
Vulnerability report for CVE-2026-42127, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-06-22
Last updated on: 2026-07-10
Assigner: Grafana Labs
Description
Description
The public dashboard query endpoint does not limit request body size before processing, allowing unauthenticated attackers to trigger excessive memory allocation by sending arbitrarily large JSON payloads. This can lead to denial of service through memory exhaustion. No valid dashboard access token or authentication is required to exploit this vulnerability.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| grafana | grafana | to 11.6.14 (inc) |
| grafana | grafana | From 12.3.0 (inc) to 12.3.6 (inc) |
| grafana | grafana | From 12.4.0 (inc) to 12.4.3 (inc) |
| grafana | grafana | From 13.0.0 (inc) to 13.0.1 (inc) |
| grafana | grafana | From 12.2.0 (inc) to 12.2.8 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |