Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1110 CNY

100%
Buy Us a Coffee

grafana — Vulnerabilities & Security Advisories 95

Browse all 95 CVE security advisories affecting grafana. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Grafana serves as a leading open-source platform for observability, enabling users to visualize metrics, logs, and traces from diverse data sources. Despite its utility, the software has accumulated 85 recorded Common Vulnerabilities and Exposures (CVEs), reflecting a history of security challenges. Historically, these flaws frequently involve remote code execution, cross-site scripting, and privilege escalation vulnerabilities, often stemming from insufficient input validation or improper access controls in its plugin ecosystem and API endpoints. While no single catastrophic incident has defined its entire lifecycle, the high volume of CVEs indicates persistent risks in its complex architecture. Security teams must prioritize regular patching and strict configuration management to mitigate these known weaknesses, ensuring that the platform’s robust visualization capabilities do not compromise underlying infrastructure integrity.

Top products by grafana: grafana Grafana OSS Grafana Enterprise grafana/grafana grafana-image-renderer Tempo Alloy Grafana Alerting Pyroscope Loki Grafana Correlations grafana/grafana-enterprise grafana-zabbix-plugin grafana-infinity-datasource Agent Flow OnCall grafana-json-datasource grafana-csv-datasource worldmap-panel google-sheets-datasource synthetic-monitoring-agent agent
CVE IDTitleCVSSSeverityPublished
CVE-2026-28374 IDOR in Annotations API allows unprivileged users to DELETE annotation — Grafana OSS 4.3 Medium2026-05-13
CVE-2026-33378 Grafana Data Source Plugin: DoS (OOM) via Negative Interval Injection in $__timeGroup Macro — Grafana OSS 6.5 Medium2026-05-13
CVE-2026-28383 Grafana plugin resources can lead to unbounded memory allocation — Grafana OSS 6.5 Medium2026-05-13
CVE-2026-33376 Auth Proxy IPv6 whitelist bypass — Grafana OSS 7.4 High2026-05-13
CVE-2026-33380 SQL Expressions Read File From Disk — Grafana OSS 6.3 Medium2026-05-13
CVE-2026-33381 Users can generate Service Account tokens after permissions removal — Grafana OSS 5.9 Medium2026-05-13
CVE-2026-28380 BAC in Snapshot API allows deletion of unauthorized dashboard snapshots — Grafana OSS 6.5 Medium2026-05-13
CVE-2026-33377 Dashboard Import Overwrites ACL — Editor Privilege Escalation to Dashboard Admin — Grafana OSS 7.1 High2026-05-13
CVE-2026-28376 Grafana Live push endpoint allows unbounded memory allocation leading to OOM — Grafana OSS 6.5 Medium2026-05-13
CVE-2026-28379 Viewer-triggered race condition in Grafana Live leads to complete server crash — Grafana OSS 6.5 Medium2026-05-13
CVE-2026-21728 Tempo query limit results in unbounded memory allocation — Tempo 7.5 High2026-04-24
CVE-2026-21726 Loki Path Traversal - CVE-2021-36156 Bypass — Loki 5.3 Medium2026-04-15
CVE-2025-41118 Sensitive COS `SecretKey` exposed in plaintext via configuration API due to missing type protection — Pyroscope 9.1 Critical2026-04-15
CVE-2026-21727 Grafana Correlations: Cross-Tenant Data Disclosure and Permanent Deletion via Legacy org_id=0 Record — Grafana Correlations 3.3 Low2026-04-15
CVE-2025-12141 Grafana Alerting Editors can edit destination of webhooks they did not create — Grafana AlertingCWE-200 8.1 -2026-04-15
CVE-2026-27879 Query resampling can cause unbounded memory allocations — Grafana 6.5 Medium2026-03-27
CVE-2026-28375 Grafana Testdata datasource can issue unbounded memory allocations — Grafana 6.5 Medium2026-03-27
CVE-2026-27876 RCE on Grafana via sqlExpressions — Grafana 9.1 Critical2026-03-27
CVE-2026-27880 OpenFeature evaluation API reads input data with no bounds — Grafana 7.5 High2026-03-27
CVE-2026-27877 Public dashboards discloses all direct mode datasources — Grafana 6.5 Medium2026-03-27
CVE-2026-28377 S3 SSE-C Encryption Key Exposed in Plaintext via Config Endpoint (CVE-2025-41118 Pattern) — Tempo 7.5 High2026-03-26
CVE-2026-21724 Missing Protected-field Authorization in Provisioning Contact Points API — Grafana OSS 5.4 Medium2026-03-26
CVE-2026-33375 Grafana MSSQL Data Source Plugin: Restriction Bypass Leading to OOM DoS — Grafana OSS 6.5 Medium2026-03-26
CVE-2026-21725 Authorization Bypass via TOCTOU in Grafana Datasource Deletion by Name — Grafana 2.6 Low2026-02-25
CVE-2025-41117 XSS in Grafana Explore stack trace — grafana/grafana 6.8 Medium2026-02-12
CVE-2026-21722 Public Dashboards time range restriction on annotations can be bypassed — grafana/grafana 5.3 Medium2026-02-12
CVE-2026-21721 Dashboard Permissions Scope Bypass Enables Cross‑Dashboard Privilege Escalation — grafana/grafana 8.1 High2026-01-27
CVE-2026-21720 Unauthenticated DoS: avatar cache leaks goroutines when /avatar/:hash requests time out — grafana/grafana-enterprise 7.5 High2026-01-27
CVE-2025-41115 Incorrect privilege assignment — Grafana Enterprise 10.0 Critical2025-11-21
CVE-2025-11539 Arbitrary Code Execution in Grafana Image Renderer Plugin — grafana-image-rendererCWE-94 9.9 Critical2025-10-09

This page lists every published CVE security advisory associated with grafana. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.