Grafana pre-auth DoS through arbitrarily large input to public dashboard...

7.5 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Description

The public dashboard query endpoint does not limit request body size before processing, allowing unauthenticated attackers to trigger excessive memory allocation by sending arbitrarily large JSON payloads. This can lead to denial of service through memory exhaustion. No valid dashboard access token or authentication is required to exploit this vulnerability.

Basic Information

ID CVE-2026-42127

Source GRAFANA

Published Jun 22, 2026 at 16:31

Affected Product

Vendor Grafana

Product Grafana Enterprise

Affected Versions Grafana Grafana Enterprise 0
Grafana Grafana Enterprise 0
Grafana Grafana Enterprise 0
Grafana Grafana Enterprise 0
Grafana Grafana Enterprise 0
Grafana Grafana OSS 11.6.0
Grafana Grafana OSS 12.2.0
Grafana Grafana OSS 12.3.0
Grafana Grafana OSS 12.4.0
Grafana Grafana OSS 13.0.0

References

grafana.com /security/security-advisories/cve-2026-42127

{
    "lastseen": "",
    "description": "The public dashboard query endpoint does not limit request body size before processing, allowing unauthenticated attackers to trigger excessive memory allocation by sending arbitrarily large JSON payloads. This can lead to denial of service through memory exhaustion. No valid dashboard access token or authentication is required to exploit this vulnerability.",
    "published": "2026-06-22T16:31:28.096Z",
    "modified": "2026-06-22T16:31:28.096Z",
    "type": "cve",
    "title": "Grafana pre-auth DoS through arbitrarily large input to public dashboard query handler",
    "source": "GRAFANA",
    "references": "https://grafana.com/security/security-advisories/cve-2026-42127",
    "id": "CVE-2026-42127",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Grafana Grafana Enterprise 0\nGrafana Grafana Enterprise 0\nGrafana Grafana Enterprise 0\nGrafana Grafana Enterprise 0\nGrafana Grafana Enterprise 0\nGrafana Grafana OSS 11.6.0\nGrafana Grafana OSS 12.2.0\nGrafana Grafana OSS 12.3.0\nGrafana Grafana OSS 12.4.0\nGrafana Grafana OSS 13.0.0",
    "sourceHref": "",
    "cvss": {
        "score": 7.5,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Grafana Enterprise",
    "version": "0",
    "vendor": "Grafana",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Grafana pre-auth DoS through arbitrarily large input to public dashboard query handler_CVE-2026-42127

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply