Out-of-Memory Vulnerability in Grafana Server by Grafana Labs
CVE-2026-33378

6.5MEDIUM

Key Information:

Vendor: Grafana
Status: Grafana Oss
Vendor: CVE Published:; 13 May 2026

What is CVE-2026-33378?

The Grafana server is susceptible to an out-of-memory (OOM) vulnerability when using the $__timeGroup macro with a SQL datasource. This vulnerability allows an attacker to overload the server, potentially leading to service disruption. The server may crash if it is unable to handle the excessive data requests initiated through this macro. However, if the server is configured to automatically restart, the operational impact could be minimized, though the attack may still take significant time to execute.

Affected Version(s)

Grafana OSS OnPrem 8.0.0 <= 11.6.14

Grafana OSS OnPrem 11.6.14 < 11.6.14+security-04

Grafana OSS OnPrem 12.0.0 <= 12.2.8

References

https://grafana.com/security/security-advisories/cve-2026...

vendor-advisory

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 13, 2026
Vulnerability Reserved
Mar 19, 2026

CVE-2026-33378 Data

JSON