CVE-2026-28383

CVE-2026-28383

Name

CVE-2026-28383

Description

A request to the Grafana plugin resources endpoint can cause unbounded memory allocation by reading the entire request body into memory. An authenticated user can exploit this to trigger an out-of-memory condition, potentially causing a denial of service.

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
security@grafana.com	https://grafana.com/security/security-advisories/cve-2026-28383

Type

URI

security@grafana.com

https://grafana.com/security/security-advisories/cve-2026-28383

Match rules

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:grafana:grafana::::::::`	grafana	>= 8.5.0	< 11.6.14
`cpe:2.3:a:grafana:grafana::::::::`	grafana	>= 12.2.0	< 12.2.8
`cpe:2.3:a:grafana:grafana::::::::`	grafana	>= 12.3.0	< 12.3.6
`cpe:2.3:a:grafana:grafana::::::::`	grafana	>= 12.4.0	< 12.4.3
`cpe:2.3:a:grafana:grafana:11.6.14:-::::::`	grafana	== None	== 11.6.14
`cpe:2.3:a:grafana:grafana:12.2.8:-::::::`	grafana	== None	== 12.2.8
`cpe:2.3:a:grafana:grafana:12.3.6:-::::::`	grafana	== None	== 12.3.6
`cpe:2.3:a:grafana:grafana:12.4.3:-::::::`	grafana	== None	== 12.4.3
`cpe:2.3:a:grafana:grafana:13.0.0:::::::*`	grafana	== None	== 13.0.0
`cpe:2.3:a:grafana:grafana:13.0.1:-::::::`	grafana	== None	== 13.0.1

CPE URI

Source package

Min version

Max version

cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*

grafana

>= 8.5.0

< 11.6.14

cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*

grafana

>= 12.2.0

< 12.2.8

cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*

grafana

>= 12.3.0

< 12.3.6

cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*

grafana

>= 12.4.0

< 12.4.3

cpe:2.3:a:grafana:grafana:11.6.14:-:*:*:*:*:*:*

grafana

== None

== 11.6.14

cpe:2.3:a:grafana:grafana:12.2.8:-:*:*:*:*:*:*

grafana

== None

== 12.2.8

cpe:2.3:a:grafana:grafana:12.3.6:-:*:*:*:*:*:*

grafana

== None

== 12.3.6

cpe:2.3:a:grafana:grafana:12.4.3:-:*:*:*:*:*:*

grafana

== None

== 12.4.3

cpe:2.3:a:grafana:grafana:13.0.0:*:*:*:*:*:*:*

grafana

== None

== 13.0.0

cpe:2.3:a:grafana:grafana:13.0.1:-:*:*:*:*:*:*

grafana

== None

== 13.0.1

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
grafana	edge-community	12.4.3-r1	Konstantin Kulikov <k.kulikov2@gmail.com>	possibly vulnerable
grafana	edge-community	12.4.3-r0	Konstantin Kulikov <k.kulikov2@gmail.com>	possibly vulnerable
grafana	edge-community	12.4.1-r1	Konstantin Kulikov <k.kulikov2@gmail.com>	possibly vulnerable
grafana	edge-community	12.4.1-r0	Konstantin Kulikov <k.kulikov2@gmail.com>	possibly vulnerable
grafana	edge-community	12.2.1-r4	Konstantin Kulikov <k.kulikov2@gmail.com>	possibly vulnerable
grafana	edge-community	12.2.1-r3	Konstantin Kulikov <k.kulikov2@gmail.com>	possibly vulnerable
grafana	edge-community	12.2.1-r2	Konstantin Kulikov <k.kulikov2@gmail.com>	possibly vulnerable
grafana	edge-community	12.2.1-r1	Konstantin Kulikov <k.kulikov2@gmail.com>	possibly vulnerable
grafana	edge-community	12.2.1-r0	Konstantin Kulikov <k.kulikov2@gmail.com>	possibly vulnerable
grafana	edge-community	11.6.1-r0	None	possibly vulnerable
grafana	edge-community	11.6.0-r2	Konstantin Kulikov <k.kulikov2@gmail.com>	possibly vulnerable
grafana	edge-community	11.6.0-r1	Konstantin Kulikov <k.kulikov2@gmail.com>	possibly vulnerable
grafana	edge-community	11.6.0-r0	Konstantin Kulikov <k.kulikov2@gmail.com>	possibly vulnerable
grafana	edge-community	11.5.2-r1	Konstantin Kulikov <k.kulikov2@gmail.com>	possibly vulnerable
grafana	edge-community	11.5.2-r0	Konstantin Kulikov <k.kulikov2@gmail.com>	possibly vulnerable
grafana	edge-community	11.5.1-r1	Konstantin Kulikov <k.kulikov2@gmail.com>	possibly vulnerable
grafana	edge-community	11.5.1-r0	Konstantin Kulikov <k.kulikov2@gmail.com>	possibly vulnerable
grafana	edge-community	11.5.0-r0	Konstantin Kulikov <k.kulikov2@gmail.com>	possibly vulnerable
grafana	edge-community	11.4.0-r1	Konstantin Kulikov <k.kulikov2@gmail.com>	possibly vulnerable
grafana	edge-community	11.4.0-r0	Konstantin Kulikov <k.kulikov2@gmail.com>	possibly vulnerable
grafana	edge-community	11.3.2-r0	Konstantin Kulikov <k.kulikov2@gmail.com>	possibly vulnerable
grafana	edge-community	11.3.1-r0	Konstantin Kulikov <k.kulikov2@gmail.com>	possibly vulnerable
grafana	edge-community	11.1.4-r0	Konstantin Kulikov <k.kulikov2@gmail.com>	possibly vulnerable
grafana	edge-community	9.1.2-r0	Konstantin Kulikov <k.kulikov2@gmail.com>	possibly vulnerable
grafana	edge-community	9.0.3-r0	Konstantin Kulikov <k.kulikov2@gmail.com>	possibly vulnerable
grafana	edge-community	8.5.3-r0	Konstantin Kulikov <k.kulikov2@gmail.com>	possibly vulnerable
grafana	3.23-community	12.2.8-r0	Konstantin Kulikov <k.kulikov2@gmail.com>	possibly vulnerable
grafana	3.23-community	12.2.1-r6	Konstantin Kulikov <k.kulikov2@gmail.com>	possibly vulnerable
grafana	3.23-community	12.2.1-r5	Konstantin Kulikov <k.kulikov2@gmail.com>	possibly vulnerable
grafana	3.23-community	12.2.1-r4	Konstantin Kulikov <k.kulikov2@gmail.com>	possibly vulnerable
grafana	3.23-community	12.2.1-r3	Konstantin Kulikov <k.kulikov2@gmail.com>	possibly vulnerable
grafana	3.23-community	12.2.1-r2	Konstantin Kulikov <k.kulikov2@gmail.com>	possibly vulnerable
grafana	3.23-community	12.2.1-r1	Konstantin Kulikov <k.kulikov2@gmail.com>	possibly vulnerable

Source package

Branch

Version

Maintainer

Status

References

Match rules

Vulnerable and fixed packages