CVSS: 4.3EPSS: 0%CPEs: 5EXPL: 0CVE-2026-28374 – IDOR in Annotations API allows unprivileged users to DELETE annotation
https://notcve.org/view.php?id=CVE-2026-28374
13 May 2026 — Editors could delete any annotation, even those they do not have read access to. The editor user cannot create or read the annotations. • https://grafana.com/security/security-advisories/cve-2026-28374 • CWE-284: Improper Access Control •
CVSS: 6.5EPSS: 0%CPEs: 5EXPL: 0CVE-2026-33378 – Grafana Data Source Plugin: DoS (OOM) via Negative Interval Injection in $__timeGroup Macro
https://notcve.org/view.php?id=CVE-2026-33378
13 May 2026 — Using the $__timeGroup macro, one can achieve an OOM by overloading the server. This requires a SQL datasource. If the server is set up to auto-restart, the impact is minimal or non-existent, as the attack can take upwards of half an hour to crash the server. • https://grafana.com/security/security-advisories/cve-2026-33378 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 6.5EPSS: 0%CPEs: 5EXPL: 0CVE-2026-28383 – Grafana plugin resources can lead to unbounded memory allocation
https://notcve.org/view.php?id=CVE-2026-28383
13 May 2026 — A request to the Grafana plugin resources endpoint can cause unbounded memory allocation by reading the entire request body into memory. An authenticated user can exploit this to trigger an out-of-memory condition, potentially causing a denial of service. • https://grafana.com/security/security-advisories/cve-2026-28383 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.4EPSS: 0%CPEs: 5EXPL: 0CVE-2026-33376 – Auth Proxy IPv6 whitelist bypass
https://notcve.org/view.php?id=CVE-2026-33376
13 May 2026 — When using an IPv6 allow-list for the Auth Proxy feature, it defaults to /32 addresses. Addresses specifying a mask explicitly are not affected; to mitigate easily, add the desired mask (usually /128) to the addresses. Only auth proxy is affected; Okta, SAML, LDAP, etc are unaffected here. • https://grafana.com/security/security-advisories/cve-2026-33376 • CWE-1188: Initialization of a Resource with an Insecure Default •
CVSS: 6.3EPSS: 0%CPEs: 5EXPL: 0CVE-2026-33380 – SQL Expressions Read File From Disk
https://notcve.org/view.php?id=CVE-2026-33380
13 May 2026 — A vulnerability in SQL Expressions allows an authenticated attacker to read arbitrary files from the Grafana server's filesystem. Only instances with the sqlExpressions feature toggle enabled are vulnerable. • https://grafana.com/security/security-advisories/cve-2026-33380 • CWE-552: Files or Directories Accessible to External Parties •
CVSS: 6.5EPSS: 0%CPEs: 5EXPL: 0CVE-2026-28380 – BAC in Snapshot API allows deletion of unauthorized dashboard snapshots
https://notcve.org/view.php?id=CVE-2026-28380
13 May 2026 — Any Editor could delete any snapshot, even if they have no access to read or write them. • https://grafana.com/security/security-advisories/cve-2026-28380 • CWE-862: Missing Authorization •
CVSS: 5.9EPSS: 0%CPEs: 5EXPL: 0CVE-2026-33381 – Users can generate Service Account tokens after permissions removal
https://notcve.org/view.php?id=CVE-2026-33381
13 May 2026 — When a user's access to mint tokens for a service account is revoked, it is sometimes still possible to do so for a few seconds after the event. The user will eventually lose access to do this. • https://grafana.com/security/security-advisories/cve-2026-33381 • CWE-284: Improper Access Control •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2026-33377 – Dashboard Import Overwrites ACL — Editor Privilege Escalation to Dashboard Admin
https://notcve.org/view.php?id=CVE-2026-33377
13 May 2026 — An Editor can overwrite a dashboard not owned by them to acquire admin on that specific dashboard. The user must have write access to the dashboard to escalate privilege. • https://grafana.com/security/security-advisories/cve-2026-33377 • CWE-284: Improper Access Control •
CVSS: 6.5EPSS: 0%CPEs: 5EXPL: 0CVE-2026-28376 – Grafana Live push endpoint allows unbounded memory allocation leading to OOM
https://notcve.org/view.php?id=CVE-2026-28376
13 May 2026 — The Grafana Live push endpoint can be exploited to cause unbounded memory allocation by sending a large or streaming request body, potentially leading to out-of-memory conditions. An authenticated user with access to the Grafana Live API can trigger this issue. • https://grafana.com/security/security-advisories/cve-2026-28376 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 6.5EPSS: 0%CPEs: 5EXPL: 0CVE-2026-28379 – Viewer-triggered race condition in Grafana Live leads to complete server crash
https://notcve.org/view.php?id=CVE-2026-28379
13 May 2026 — A race condition in Grafana Live allows authenticated users with Viewer role to trigger a server crash by sending concurrent requests that cause a fatal map access error. This results in complete service unavailability requiring restart of the Grafana server. • https://grafana.com/security/security-advisories/cve-2026-28379 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •