CVE-2026-42127

HIGH 7.5

Grafana pre-auth DoS through arbitrarily large input to public dashboard query handler

CVSS Score

7.5

EPSS Score

0.0%

EPSS Percentile

0th

The public dashboard query endpoint does not limit request body size before processing, allowing unauthenticated attackers to trigger excessive memory allocation by sending arbitrarily large JSON payloads. This can lead to denial of service through memory exhaustion. No valid dashboard access token or authentication is required to exploit this vulnerability.

Vendor	grafana
Product	grafana enterprise
Ecosystems	Monitoring DevTools
Industries	Technology
Published	Jun 22, 2026
Last Updated	Jun 22, 2026

Stay Ahead of the Next One

Get instant alerts for grafana grafana enterprise

Be the first to know when new high vulnerabilities affecting grafana grafana enterprise are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

Grafana / Grafana Enterprise

0 ≤ 11.6.14 0 ≤ 12.2.8 0 ≤ 12.3.6 0 ≤ 12.4.3 0 ≤ 13.0.1

Grafana / Grafana OSS

11.6.0 ≤ 11.6.14 12.2.0 ≤ 12.2.8 12.3.0 ≤ 12.3.6 12.4.0 ≤ 12.4.3 13.0.0 ≤ 13.0.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

grafana.com: https://grafana.com/security/security-advisories/cve-2026-42127

Credits

Charlie Lewis