CVE-2026-28376

medium

Published 2026-05-13 · Modified 2026-05-18

CVSS v3

6.5

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CVSS v2

—

VIR risk

6.5

Description

The Grafana Live push endpoint can be exploited to cause unbounded memory allocation by sending a large or streaming request body, potentially leading to out-of-memory conditions. An authenticated user with access to the Grafana Live API can trigger this issue.

Predictions

Exploit likelihood

75%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2026-28376.html

vendor Authored 2026-05-27

Vendor advisory: security@grafana.com — https://grafana.com/security/security-advisories/cve-2026-28376

OS impact

OS	Version	Status	Fixed in
sles		affected

Application impact

Vendor	Product	Versions	Fixed
grafana	grafana	`{"startIncluding":"8.0.0","endExcluding":"11.6.14"}`	`11.6.14`
grafana	grafana	`11.6.14`
grafana	grafana	`12.2.8`
grafana	grafana	`12.3.6`
grafana	grafana	`12.4.3`
grafana	grafana	`13.0.0`
grafana	grafana	`13.0.1`

References

CWEs

CWE-770

Verify integrity in audit chain (admin only). AS-IS.