SB2026033194 - Multiple vulnerabilities in Grafana
Published: March 31, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 7 vulnerabilities.
1) Information disclosure (CVE-ID: CVE-2026-27877)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in public dashboards when handling direct mode data sources. A remote user can access publicly shared dashboards to disclose sensitive information.
Authentication is required to create or access public dashboards; only direct mode data sources are affected.
2) Improper input validation (CVE-ID: CVE-2026-33375)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to improper access control in the MSSQL data source plugin when processing user queries. A remote user can send a specially crafted request to cause a denial of service.
Authentication as a low-privileged user (Viewer) is required to exploit this vulnerability.
3) Improper Authorization (CVE-ID: CVE-2026-21724)
CWE-ID: CWE-285 - Improper Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to modify protected webhook URLs.
The vulnerability exists due to improper access control in the Provisioning Contact Points API when handling API requests. A remote user can send a specially crafted request to modify protected webhook URLs.
Successful exploitation allows modification of protected contact points without the required alert.notifications.receivers.protected:write permission.
4) Improper input validation (CVE-ID: CVE-2026-28375)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to improper input validation in the testdata datasource when processing user-supplied queries. A remote user can send a specially crafted request to cause a denial of service.
5) Resource exhaustion (CVE-ID: CVE-2026-27880)
CWE-ID: CWE-400 - Resource exhaustion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in the OpenFeature feature toggle evaluation endpoint when processing unbounded input data. A remote attacker can send a specially crafted request with large input values to cause a denial of service.
The issue can lead to out-of-memory crashes.
6) Uncontrolled Memory Allocation (CVE-ID: CVE-2026-27879)
CWE-ID: CWE-789 - Uncontrolled Memory Allocation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to improper input validation in query resampling when processing crafted resample queries. A remote user can send a specially crafted request to cause a denial of service.
7) Improper input validation (CVE-ID: CVE-2026-27876)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote privileged user to execute arbitrary code.
The vulnerability exists due to improper input validation in SQL Expressions feature when processing user-supplied queries. A remote privileged user can send a specially crafted request to execute arbitrary code.
Only instances with the sqlExpressions feature toggle enabled are vulnerable.
Remediation
Install update from vendor's website.
References
- https://grafana.com/security/security-advisories/cve-2026-27877/
- https://grafana.com/security/security-advisories/cve-2026-33375/
- https://grafana.com/security/security-advisories/cve-2026-21724/
- https://grafana.com/security/security-advisories/cve-2026-28375/
- https://grafana.com/security/security-advisories/cve-2026-27880/
- https://grafana.com/security/security-advisories/cve-2026-27879/
- https://grafana.com/security/security-advisories/cve-2026-27876/