GCVE - cpe:2.3:a:grafana:grafana:*:*:*:*:-:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:grafana:grafana:*:*:*:*:-:*:*:*

part: a version: * update: *

Vendor	Grafana (`7564912d-bb81-50cf-9eb9-f573ac2fa519`)
Product	Grafana (`6e4f3e11-70ef-54b3-88d6-f64136c9d5f2`)
Edition	*
Language	*
Software edition	-
Target software	*
Target hardware	*
Other	*
Notes	Imported from purl2cpe mapping

PURL mappings

PURL	Source	Last updated
`pkg:docker/grafana/grafana`	purl2cpe	2026-06-01 10:14:45.238506
`pkg:github/grafana/grafana`	purl2cpe	2026-06-01 10:14:45.238508
`pkg:rpm/fedora/grafana`	purl2cpe	2026-06-01 10:14:45.238510
`pkg:rpm/opensuse/grafana`	purl2cpe	2026-06-01 10:14:45.238511

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2026-33375`	vulnerable	2026-06-03 15:20:44.747132	Grafana MSSQL Data Source Plugin: Restriction Bypass Leading to OOM DoS MEDIUM (6.5) The Grafana MSSQL data source plugin contains a logic flaw that allows a low-privileged user (Viewer) to bypass API restrictions and trigger a catastrophic Out-Of-Memory (OOM) memory exhaustion, crashing the host container. Published: 2026-03-26T20:05:52.564Z Updated: 2026-05-13T19:28:42.782Z Open on db.gcve.eu Reference links https://grafana.com/security/security-advisories/cve-2026-33375	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2026-21724`	vulnerable	2026-06-03 15:15:51.535024	Missing Protected-field Authorization in Provisioning Contact Points API MEDIUM (5.4) A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the required alert.notifications.receivers.protected:write permission. Published: 2026-03-26T20:06:18.829Z Updated: 2026-05-13T19:28:30.022Z Open on db.gcve.eu Reference links https://grafana.com/security/security-advisories/cve-2026-21724	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2026-21720`	vulnerable	2026-06-03 15:15:51.505576	Unauthenticated DoS: avatar cache leaks goroutines when /avatar/:hash requests time out HIGH (7.5) Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three seconds, the handler times out and stops listening for the result, so that goroutine blocks forever trying to send on an unbuffered channel. Sustained traffic with random hashes keeps tripping this timeout, so goroutine count grows linearly, eventually exhausting memory and causing Grafana to crash on some systems. Published: 2026-01-27T09:07:04.758Z Updated: 2026-05-13T19:28:36.287Z Open on db.gcve.eu Reference links https://grafana.com/security/security-advisories/cve-2026-21720	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2023-3128`	vulnerable	2026-06-03 14:52:40.016296	Details available CRITICAL (9.4) Grafana is validating Azure AD accounts based on the email claim. On Azure AD, the profile email field is not unique and can be easily modified. This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app. Published: 2023-06-22T20:14:00.805Z Updated: 2025-02-13T16:49:48.654Z Open on db.gcve.eu Reference links https://grafana.com/security/security-advisories/cve-2023-3128/ https://github.com/grafana/bugbounty/security/advisories/GHSA-gxh2-6vvc-rrgp https://security.netapp.com/advisory/ntap-20230714-0004/	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.