Memory Allocation Vulnerability in Grafana Live by Grafana Labs
CVE-2026-28376

6.5MEDIUM

Key Information:

Vendor: Grafana
Status: Grafana Oss
Vendor: CVE Published:; 13 May 2026

What is CVE-2026-28376?

The Grafana Live push endpoint is vulnerable to exploitation via large or streaming request bodies, which may cause unbounded memory allocation. Specifically, an authenticated user able to access the Grafana Live API can inadvertently or intentionally trigger this issue, leading to potential out-of-memory conditions. This represents a significant risk for applications relying on the Grafana Live service, emphasizing the need for immediate attention and mitigation strategies.

Affected Version(s)

Grafana OSS OnPrem 8.0.0 <= 11.6.14

Grafana OSS OnPrem 11.6.14 < 11.6.14+security-04

Grafana OSS OnPrem 12.0.0 <= 12.2.8

References

https://grafana.com/security/security-advisories/cve-2026...

vendor-advisory

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 13, 2026
Vulnerability Reserved
Feb 27, 2026

CVE-2026-28376 Data

JSON