CVE-2026-8609 PUBLISHED

Pre-authentication denial of service via the OAuth login route

Assigner: GRAFANA
Reserved: 14.05.2026 Published: 10.07.2026 Updated: 10.07.2026

An unauthenticated attacker can repeatedly call Grafana's OAuth login route with unique values, causing unbounded memory growth that can eventually exhaust memory and crash the Grafana instance (denial of service).

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CVSS Score: 5.3

Product Status

Vendor Grafana
Product Grafana OSS
Versions Default: unaffected
  • affected from 11.6.0 to 11.6.14 (incl.)
  • affected from 12.2.0 to 12.2.8 (incl.)
  • affected from 12.3.0 to 12.3.6 (incl.)
  • affected from 12.4.0 to 12.4.3 (incl.)
  • affected from 13.0.0 to 13.0.1 (incl.)

Credits

  • cyberjoker (Researcher) finder

References

Problem Types

  • CWE-400 CWE