CVE 7.5 HIGH

Unauthenticated DoS: avatar cache leaks goroutines when /avatar/:hash requests time out_CVE-2026-21720

January 27, 2026 invoker category_cve
7.5 / 10
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Description

Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three seconds, the handler times out and stops listening for the result, so that goroutine blocks forever trying to send on an unbuffered channel. Sustained traffic with random hashes keeps tripping this timeout, so goroutine count grows linearly, eventually exhausting memory and causing Grafana to crash on some systems.

Basic Information

ID CVE-2026-21720
Source GRAFANA
Published Jan 27, 2026 at 09:07

Affected Product

Vendor Grafana
Product grafana/grafana-enterprise
Version 3.0.0
Affected Versions Grafana grafana/grafana-enterprise 3.0.0
Grafana grafana/grafana-enterprise 3.0.0
Grafana grafana/grafana-enterprise 3.0.0
Grafana grafana/grafana 3.0.0
Grafana grafana/grafana 3.0.0
Grafana grafana/grafana 3.0.0
Grafana grafana/grafana-enterprise 3.0.0
Grafana grafana/grafana 3.0.0
Grafana grafana/grafana-enterprise 3.0.0
Grafana grafana/grafana 3.0.0

References

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.