VYPR

Bitnami package

grafana

pkg:bitnami/grafana

Vulnerabilities (97)

  • CVE-2026-33381MedMay 13, 2026
    affected >= 9.2.0, < 11.6.14fixed 11.6.14

    When a user's access to mint tokens for a service account is revoked, it is sometimes still possible to do so for a few seconds after the event. The user will eventually lose access to do this.

  • CVE-2026-33380MedMay 13, 2026
    affected >= 11.6.0, < 11.6.14fixed 11.6.14

    A vulnerability in SQL Expressions allows an authenticated attacker to read arbitrary files from the Grafana server's filesystem. Only instances with the sqlExpressions feature toggle enabled are vulnerable.

  • CVE-2026-33378MedMay 13, 2026
    affected >= 8.0.0, < 11.6.14fixed 11.6.14

    Using the $__timeGroup macro, one can achieve an OOM by overloading the server. This requires a SQL datasource. If the server is set up to auto-restart, the impact is minimal or non-existent, as the attack can take upwards of half an hour to crash the server.

  • CVE-2026-33377HigMay 13, 2026
    affected >= 8.5.0, < 11.6.14fixed 11.6.14

    An Editor can overwrite a dashboard not owned by them to acquire admin on that specific dashboard. The user must have write access to the dashboard to escalate privilege.

  • CVE-2026-33376HigMay 13, 2026
    affected >= 9.4.0, < 11.6.14fixed 11.6.14

    When using an IPv6 allow-list for the Auth Proxy feature, it defaults to /32 addresses. Addresses specifying a mask explicitly are not affected; to mitigate easily, add the desired mask (usually /128) to the addresses. Only auth proxy is affected; Okta, SAML, LDAP, etc are unaffe

  • CVE-2026-28383MedMay 13, 2026
    affected >= 6.7.0, < 11.6.14fixed 11.6.14

    A request to the Grafana plugin resources endpoint can cause unbounded memory allocation by reading the entire request body into memory. An authenticated user can exploit this to trigger an out-of-memory condition, potentially causing a denial of service.

  • CVE-2026-28380MedMay 13, 2026
    affected >= 9.4.0, < 11.6.14fixed 11.6.14

    Any Editor could delete any snapshot, even if they have no access to read or write them.

  • CVE-2026-28379MedMay 13, 2026
    affected >= 8.2.0, < 11.6.14fixed 11.6.14

    A race condition in Grafana Live allows authenticated users with Viewer role to trigger a server crash by sending concurrent requests that cause a fatal map access error. This results in complete service unavailability requiring restart of the Grafana server.

  • CVE-2026-28376MedMay 13, 2026
    affected >= 8.0.0, < 11.6.14fixed 11.6.14

    The Grafana Live push endpoint can be exploited to cause unbounded memory allocation by sending a large or streaming request body, potentially leading to out-of-memory conditions. An authenticated user with access to the Grafana Live API can trigger this issue.

  • CVE-2026-28374MedMay 13, 2026
    affected >= 8.5.0, < 11.6.14fixed 11.6.14

    Editors could delete any annotation, even those they do not have read access to. The editor user cannot create or read the annotations.

  • CVE-2026-21727LowApr 15, 2026
    affected < 11.6.11fixed 11.6.11

    --- title: Cross-Tenant Legacy Correlation Disclosure and Deletion draft: false hero: image: /static/img/heros/hero-legal2.svg content: "# Cross-Tenant Legacy Correlation Disclosure and Deletion" date: 2026-01-29 product: Grafana severity: Low cve: CVE-2026-21727 cvss_score:

  • CVE-2025-12141MedApr 15, 2026
    affected >= 8.0.0, < 12.3.1fixed 12.3.1

    In Grafana's alerting system, users with edit permissions for a contact point, specifically the permissions “alert.notifications:write” or “alert.notifications.receivers:test” that are granted as part of the fixed role "Contact Point Writer", which is part of the basic role Edito

  • CVE-2026-28375MedMar 27, 2026
    affected >= 8.1.0, < 11.6.14fixed 11.6.14

    A testdata data-source can be used to trigger out-of-memory crashes in Grafana.

  • CVE-2026-27880HigMar 27, 2026
    affected >= 12.1.0, < 12.1.10fixed 12.1.10

    The OpenFeature feature toggle evaluation endpoint reads unbounded values into memory, which can cause out-of-memory crashes.

  • CVE-2026-27879MedMar 27, 2026
    affected >= 8.0.0, < 11.6.14fixed 11.6.14

    A resample query can be used to trigger out-of-memory crashes in Grafana.

  • CVE-2026-27877MedMar 27, 2026
    affected >= 9.3.0, < 11.6.14fixed 11.6.14

    When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards. No passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as pos

  • CVE-2026-27876CriMar 27, 2026
    affected >= 11.6.0, < 11.6.14fixed 11.6.14

    A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RCE). This is enabled by a feature in Grafana (OSS), so all users are always recommended to update to avoid future attack vectors going this path. Only inst

  • CVE-2026-33375MedMar 26, 2026
    affected >= 11.6.0, < 11.6.14fixed 11.6.14

    The Grafana MSSQL data source plugin contains a logic flaw that allows a low-privileged user (Viewer) to bypass API restrictions and trigger a catastrophic Out-Of-Memory (OOM) memory exhaustion, crashing the host container.

  • CVE-2026-21724MedMar 26, 2026
    affected >= 11.6.9, < 11.6.14fixed 11.6.14

    A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the required alert.notifications.receivers.protected:write permission.

  • CVE-2026-21725LowFeb 25, 2026
    affected >= 11.0.0, < 12.4.1fixed 12.4.1

    A time-of-create-to-time-of-use (TOCTOU) vulnerability lets recently deleted-then-recreated data sources be re-deleted without permission to do so. This requires several very stringent conditions to be met: - The attacker must have admin access to the specific datasource prior

Page 1 of 5