Grafana Oss

When a user's access to mint tokens for a service account is revoked, it is sometimes still possible to do so for a few seconds after the event. The user will eventually lose access to do this.

Published: 2026-05-13T19:28:31.559Z
Updated: 2026-05-16T03:55:59.990Z

A vulnerability in SQL Expressions allows an authenticated attacker to read arbitrary files from the Grafana server's filesystem. Only instances with the sqlExpressions feature toggle enabled are vulnerable.

Published: 2026-05-13T19:28:32.915Z
Updated: 2026-05-14T15:12:46.748Z

Using the $__timeGroup macro, one can achieve an OOM by overloading the server. This requires a SQL datasource. If the server is set up to auto-restart, the impact is minimal or non-existent, as the attack can take upwards of half an hour to crash the server.

Published: 2026-05-13T19:28:37.606Z
Updated: 2026-05-14T12:33:58.842Z

An Editor can overwrite a dashboard not owned by them to acquire admin on that specific dashboard. The user must have write access to the dashboard to escalate privilege.

Published: 2026-05-13T19:28:28.154Z
Updated: 2026-05-18T18:33:09.317Z

When using an IPv6 allow-list for the Auth Proxy feature, it defaults to /32 addresses. Addresses specifying a mask explicitly are not affected; to mitigate easily, add the desired mask (usually /128) to the addresses. Only auth proxy is affected; Okta, SAML, LDAP, etc are unaffected here.

Published: 2026-05-13T19:28:34.473Z
Updated: 2026-05-16T03:56:01.168Z

The Grafana MSSQL data source plugin contains a logic flaw that allows a low-privileged user (Viewer) to bypass API restrictions and trigger a catastrophic Out-Of-Memory (OOM) memory exhaustion, crashing the host container.

Published: 2026-03-26T20:05:52.564Z
Updated: 2026-05-13T19:28:42.782Z

A request to the Grafana plugin resources endpoint can cause unbounded memory allocation by reading the entire request body into memory. An authenticated user can exploit this to trigger an out-of-memory condition, potentially causing a denial of service.

Published: 2026-05-13T19:28:36.952Z
Updated: 2026-05-14T12:36:22.328Z

Any Editor could delete any snapshot, even if they have no access to read or write them.

Published: 2026-05-13T19:28:32.257Z
Updated: 2026-05-14T15:55:03.357Z

A race condition in Grafana Live allows authenticated users with Viewer role to trigger a server crash by sending concurrent requests that cause a fatal map access error. This results in complete service unavailability requiring restart of the Grafana server.

Published: 2026-05-13T19:28:25.836Z
Updated: 2026-05-14T18:12:49.850Z

The Grafana Live push endpoint can be exploited to cause unbounded memory allocation by sending a large or streaming request body, potentially leading to out-of-memory conditions. An authenticated user with access to the Grafana Live API can trigger this issue.

Published: 2026-05-13T19:28:26.544Z
Updated: 2026-05-14T18:10:54.005Z

Editors could delete any annotation, even those they do not have read access to. The editor user cannot create or read the annotations.

Published: 2026-05-13T19:28:40.053Z
Updated: 2026-05-14T12:33:13.749Z

A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the required alert.notifications.receivers.protected:write permission.

Published: 2026-03-26T20:06:18.829Z
Updated: 2026-05-13T19:28:30.022Z