Grafana denial of service via oversized request bodies (web.Bind)

High
Advisory ID:CVE-2026-33382
Published:2026-06-09
Product:Grafana
CVSS Score:7.5
CVSS Vector:CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Fixed Versions:
>=11.6.15
>=12.2.9
>=12.3.7
>=12.4.4
>=13.0.2

Summary

Several Grafana API endpoints, some of them unauthenticated, do not limit the size of the request body before processing it. An attacker can send very large payloads that force excessive memory allocation, potentially exhausting memory and causing a denial of service. Upgrade to a fixed version listed below.