SB2026051824 - Multiple vulnerabilities in Grafana
Published: May 18, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 10 vulnerabilities.
1) Authorization bypass through user-controlled key (CVE-ID: CVE-2026-28374)
CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to delete annotations they should not be able to access.
The vulnerability exists due to improper access control in the annotations API when handling delete requests for annotations. A remote user can send a crafted delete request to delete annotations they do not have read access to.
The issue affects editor users, who can delete annotations even though they cannot create or read them.
2) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-28376)
CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to uncontrolled memory allocation in Grafana Live push endpoint when handling a large or streaming request body. A remote user can send a large or streaming request body to cause a denial of service.
3) Race condition (CVE-ID: CVE-2026-28379)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to a race condition in Grafana Live when handling concurrent requests. A remote user can send concurrent requests to cause a denial of service.
The issue can trigger a fatal map access error and complete service unavailability until the Grafana server is restarted.
4) Improper access control (CVE-ID: CVE-2026-28380)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to delete unauthorized dashboard snapshots.
The vulnerability exists due to improper access control in Snapshot API when handling snapshot deletion requests. A remote user can send a deletion request for snapshots they are not authorized to read or modify to delete unauthorized dashboard snapshots.
5) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-28383)
CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to uncontrolled memory allocation in the plugin resources endpoint when handling requests with large request bodies. A remote user can send a specially crafted request to cause a denial of service.
The issue can trigger an out-of-memory condition.
6) Improper access control (CVE-ID: CVE-2026-33376)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass IP-based access restrictions for the Auth Proxy feature.
The vulnerability exists due to improper access control in the Auth Proxy IPv6 allow-list handling when evaluating IPv6 addresses without an explicitly specified mask. A remote attacker can use an IPv6 address that matches the unintended default /32 range to bypass IP-based access restrictions for the Auth Proxy feature.
Only the Auth Proxy feature is affected; other authentication methods such as Okta, SAML, and LDAP are unaffected.
7) Improper access control (CVE-ID: CVE-2026-33377)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to escalate privileges on a specific dashboard.
The vulnerability exists due to improper access control in the dashboard import functionality when importing a dashboard with write access to an existing dashboard. A remote user can overwrite a dashboard not owned by them to escalate privileges on that specific dashboard.
The user must have write access to the dashboard to exploit this issue.
8) Input validation error (CVE-ID: CVE-2026-33378)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to improper input validation in the $__timeGroup macro when processing user-supplied negative interval values in a SQL datasource query. A remote user can supply a specially crafted query parameter to cause a denial of service.
Exploitation requires the use of a SQL datasource.
9) Improper access control (CVE-ID: CVE-2026-33380)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in SQL Expressions when evaluating user-supplied SQL expressions. A remote user can read arbitrary files from the server filesystem to disclose sensitive information.
Only instances with the sqlExpressions feature toggle enabled are vulnerable.
10) Improper access control (CVE-ID: CVE-2026-33381)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to generate service account tokens after permissions removal.
The vulnerability exists due to improper access control in service account token generation when permission revocation is being processed. A remote privileged user can generate a service account token during the brief window after access is revoked to generate service account tokens after permissions removal.
Access may remain usable for a few seconds after the revocation event before it is fully removed.
Remediation
Install update from vendor's website.
References
- https://grafana.com/security/security-advisories/cve-2026-28374/
- https://grafana.com/security/security-advisories/cve-2026-28376/
- https://grafana.com/security/security-advisories/cve-2026-28379/
- https://grafana.com/security/security-advisories/cve-2026-28380/
- https://grafana.com/security/security-advisories/cve-2026-28383/
- https://grafana.com/security/security-advisories/cve-2026-33376/
- https://grafana.com/security/security-advisories/cve-2026-33377/
- https://grafana.com/security/security-advisories/cve-2026-33378/
- https://grafana.com/security/security-advisories/cve-2026-33380/
- https://grafana.com/security/security-advisories/cve-2026-33381/