Viewer-triggered race condition in Grafana Live leads to complete server...

6.5 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Description

A race condition in Grafana Live allows authenticated users with Viewer role to trigger a server crash by sending concurrent requests that cause a fatal map access error. This results in complete service unavailability requiring restart of the Grafana server.

Basic Information

ID CVE-2026-28379

Source GRAFANA

Published May 13, 2026 at 19:28

Modified May 13, 2026 at 19:35

Affected Product

Vendor Grafana

Product Grafana OSS

Version 8.2.0

Affected Versions Grafana Grafana OSS 8.2.0
Grafana Grafana OSS 11.6.14
Grafana Grafana OSS 12.0.0
Grafana Grafana OSS 12.2.8
Grafana Grafana OSS 12.3.0
Grafana Grafana OSS 12.3.6
Grafana Grafana OSS 12.4.0
Grafana Grafana OSS 12.4.3
Grafana Grafana OSS 13.0.0
Grafana Grafana OSS 13.0.1

References

grafana.com /security/security-advisories/cve-2026-28379

{
    "lastseen": "",
    "description": "A race condition in Grafana Live allows authenticated users with Viewer role to trigger a server crash by sending concurrent requests that cause a fatal map access error. This results in complete service unavailability requiring restart of the Grafana server.",
    "published": "2026-05-13T19:28:25.836Z",
    "modified": "2026-05-13T19:35:07.631Z",
    "type": "cve",
    "title": "Viewer-triggered race condition in Grafana Live leads to complete server crash",
    "source": "GRAFANA",
    "references": "https://grafana.com/security/security-advisories/cve-2026-28379",
    "id": "CVE-2026-28379",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Grafana Grafana OSS 8.2.0\nGrafana Grafana OSS 11.6.14\nGrafana Grafana OSS 12.0.0\nGrafana Grafana OSS 12.2.8\nGrafana Grafana OSS 12.3.0\nGrafana Grafana OSS 12.3.6\nGrafana Grafana OSS 12.4.0\nGrafana Grafana OSS 12.4.3\nGrafana Grafana OSS 13.0.0\nGrafana Grafana OSS 13.0.1",
    "sourceHref": "",
    "cvss": {
        "score": 6.5,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Grafana OSS",
    "version": "8.2.0",
    "vendor": "Grafana",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Viewer-triggered race condition in Grafana Live leads to complete server crash_CVE-2026-28379

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply