Logic Flaw in Grafana MSSQL Data Source Plugin Allows Memory Exhaustion Attacks
CVE-2026-33375

6.5MEDIUM

Key Information:

Vendor: Grafana
Status: Grafana Oss
Vendor: CVE Published:; 26 March 2026

What is CVE-2026-33375?

A logic flaw in the Grafana MSSQL data source plugin permits low-privileged users, such as Viewers, to bypass API restrictions. This flaw can lead to memory exhaustion, potentially crashing the hosting container and resulting in service disruptions.

Affected Version(s)

Grafana OSS OnPrem 11.6.0 < 11.6.14+security-01

Grafana OSS OnPrem 12.1.0 < 12.1.10+security-01

Grafana OSS OnPrem 12.2.0 < 12.2.8+security-01

References

https://grafana.com/security/security-advisories/cve-2026...

vendor-advisory

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 26, 2026
Vulnerability Reserved
Mar 19, 2026

CVE-2026-33375 Data

JSON