Denial of Service Risk in Grafana Dashboard Due to Unrestricted Query Size
CVE-2026-42127

7.5HIGH

Key Information:

Vendor: Grafana
Status: Grafana Enterprise; Grafana Oss
Vendor: CVE Published:; 22 June 2026

What is CVE-2026-42127?

This vulnerability allows unauthenticated attackers to exploit the public dashboard query endpoint by sending enormous JSON payloads. The lack of request body size limitations can lead to excessive memory allocation, ultimately resulting in denial of service as system resources are consumed. Notably, the attack can be executed without any valid dashboard access token or authentication, making it particularly concerning for Grafana users.

Affected Version(s)

Grafana Enterprise 0 <= 11.6.14

Grafana Enterprise 0 <= 12.2.8

Grafana Enterprise 0 <= 12.3.6

References

https://grafana.com/security/security-advisories/cve-2026...

vendor-advisory

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 22, 2026
Vulnerability Reserved
Apr 24, 2026

Credit

Charlie Lewis

CVE-2026-42127 Data

JSON