CVE-2026-33382

Grafana · Grafana OSS

Several Grafana OSS API endpoints fail to limit the size of request bodies before processing, leading to potential resource exhaustion and denial-of-service.

Executive summary

An unauthenticated resource exhaustion vulnerability in Grafana OSS allows attackers to trigger denial-of-service conditions by sending oversized request bodies to vulnerable API endpoints.

Vulnerability

The vulnerability is a classic CWE-400 (Uncontrolled Resource Consumption). By sending excessively large request bodies to specific API endpoints—some of which do not require authentication—an attacker can force the server to consume excessive memory or CPU, resulting in a denial-of-service (DoS) state.

Business impact

The impact of this vulnerability is primarily focused on availability. Successful exploitation can render the Grafana dashboard and its associated alerting or monitoring services inaccessible. With a CVSS score of 7.5, the risk to business operations is significant, particularly for organizations that rely on Grafana for real-time observability and incident response.

Remediation

Immediate Action: Upgrade to the latest patched version of Grafana OSS as specified in the vendor security advisory.

Proactive Monitoring: Monitor server metrics such as memory usage, CPU load, and API response times for sudden spikes indicative of an exhaustion attack.

Compensating Controls: Deploy a Web Application Firewall (WAF) or reverse proxy to enforce request body size limits before the traffic reaches the Grafana service.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

Administrators should treat this vulnerability with high urgency, as the unauthenticated nature of the affected endpoints makes it easily exploitable from the public internet. Patching the affected Grafana instances is the most effective way to prevent resource exhaustion and ensure the continued availability of your monitoring infrastructure.