CVE-2026-42127 | The public dashboard query endpoint does not limit request b… | CVSS 7.5 HIGH

Description

The public dashboard query endpoint does not limit request body size before processing, allowing unauthenticated attackers to trigger excessive memory allocation by sending arbitrarily large JSON payloads. This can lead to denial of service through memory exhaustion. No valid dashboard access token or authentication is required to exploit this vulnerability.

Metadata

CVE ID: CVE-2026-42127
State: PUBLISHED
Assigner: GRAFANA
Reserved: 2026-04-24 15:38 UTC
Published: 2026-06-22 16:31 UTC
Last updated: 2026-06-22 17:28 UTC
Primary CWE: CWE-770
CWE-770 Allocation of Resources Without Limits or Throttling
Vendor / Product: Grafana / Grafana Enterprise
Sources: cve.org · NVD

Severity & Metrics

7.5 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

SSVC — CISA Coordinator

Exploitation: none
Automatable: yes
Tech. Impact: partial

Affected products (2)

Vendor	Product	Platform	Versions
Grafana	Grafana Enterprise	—	0 ≤ 11.6.14, 0 ≤ 12.2.8, 0 ≤ 12.3.6, 0 ≤ 12.4.3 …
Grafana	Grafana OSS	—	11.6.0 ≤ 11.6.14, 12.2.0 ≤ 12.2.8, 12.3.0 ≤ 12.3.6, 12.4.0 ≤ 12.4.3 …

Weakness (CWE)

CWE	Source	Description
CWE-770	adp	CWE-770 Allocation of Resources Without Limits or Throttling

CVSS scores (1)

Score	Severity	Version	Source	Vector
7.5	HIGH	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (1)

https://grafana.com/security/security-advisories/cve-2026-42127