SB2026033194 - Multiple vulnerabilities in Grafana

Description

This security bulletin contains information about 7 secuirty vulnerabilities.

1) Information disclosure (CVE-ID: CVE-2026-27877)

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in public dashboards when handling direct mode data sources. A remote user can access publicly shared dashboards to disclose sensitive information.

Authentication is required to create or access public dashboards; only direct mode data sources are affected.

2) Improper input validation (CVE-ID: CVE-2026-33375)

The vulnerability allows a remote user to cause a denial of service.

The vulnerability exists due to improper access control in the MSSQL data source plugin when processing user queries. A remote user can send a specially crafted request to cause a denial of service.

Authentication as a low-privileged user (Viewer) is required to exploit this vulnerability.

3) Improper Authorization (CVE-ID: CVE-2026-21724)

The vulnerability allows a remote user to modify protected webhook URLs.

The vulnerability exists due to improper access control in the Provisioning Contact Points API when handling API requests. A remote user can send a specially crafted request to modify protected webhook URLs.

Successful exploitation allows modification of protected contact points without the required alert.notifications.receivers.protected:write permission.

4) Improper input validation (CVE-ID: CVE-2026-28375)

The vulnerability allows a remote user to cause a denial of service.

The vulnerability exists due to improper input validation in the testdata datasource when processing user-supplied queries. A remote user can send a specially crafted request to cause a denial of service.

5) Resource exhaustion (CVE-ID: CVE-2026-27880)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in the OpenFeature feature toggle evaluation endpoint when processing unbounded input data. A remote attacker can send a specially crafted request with large input values to cause a denial of service.

The issue can lead to out-of-memory crashes.

6) Uncontrolled Memory Allocation (CVE-ID: CVE-2026-27879)

The vulnerability allows a remote user to cause a denial of service.

The vulnerability exists due to improper input validation in query resampling when processing crafted resample queries. A remote user can send a specially crafted request to cause a denial of service.

7) Improper input validation (CVE-ID: CVE-2026-27876)

The vulnerability allows a remote privileged user to execute arbitrary code.

The vulnerability exists due to improper input validation in SQL Expressions feature when processing user-supplied queries. A remote privileged user can send a specially crafted request to execute arbitrary code.

Only instances with the sqlExpressions feature toggle enabled are vulnerable.

Remediation

Install update from vendor's website.

References

• https://grafana.com/security/security-advisories/cve-2026-27877/
• https://grafana.com/security/security-advisories/cve-2026-33375/
• https://grafana.com/security/security-advisories/cve-2026-21724/
• https://grafana.com/security/security-advisories/cve-2026-28375/
• https://grafana.com/security/security-advisories/cve-2026-27880/
• https://grafana.com/security/security-advisories/cve-2026-27879/
• https://grafana.com/security/security-advisories/cve-2026-27876/