CVE-2026-33382 PUBLISHED

Denial of service via unbounded request body size

Assigner: GRAFANA
Reserved: 19.03.2026 Published: 10.07.2026 Updated: 10.07.2026

Several Grafana API endpoints, some of them unauthenticated, do not limit the size of the request body before processing it. An attacker can send very large payloads that force excessive memory allocation, potentially exhausting memory and causing a denial of service.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS Score: 7.5

Product Status

Vendor Grafana
Product Grafana OSS
Versions Default: unaffected
  • affected from 11.6.0 to 11.6.14 (incl.)
  • affected from 12.2.0 to 12.2.8 (incl.)
  • affected from 12.3.0 to 12.3.6 (incl.)
  • affected from 12.4.0 to 12.4.3 (incl.)
  • affected from 13.0.0 to 13.0.1 (incl.)

References

Problem Types

  • CWE-400 CWE