| CVE-2026-42127 | high | 7.5 | The public dashboard query endpoint does not limit request body size before processing, allowing una… | Jun 22, 2026 | Jun 30, 2026 |
| CVE-2026-9029 | high | 7.3 | The geomap panel's XYZ tile layer has a sanitize-then-interpolate ordering bug. sanitizeTextPanelCon… | Jun 22, 2026 | Jun 30, 2026 |
| CVE-2026-42129 | high | 7.7 | The Loki datasource plugin's callResource handler contains a path traversal vulnerability. An authen… | Jun 22, 2026 | Jun 30, 2026 |
| CVE-2026-28381 | critical | 9.6 | The Snowflake datasource allows for GET/PUT commands, which can allow any user with access to run qu… | Jun 22, 2026 | Jun 30, 2026 |
| CVE-2026-10601 | medium | 5.4 | The Tempo and Loki datasource plugins construct backend HTTP requests by interpolating user-supplied… | Jun 22, 2026 | Jun 30, 2026 |
| CVE-2026-27878 | medium | 6.5 | A TraceQL query in Grafana Tempo with a large exemplars hint value can cause the Tempo instance to a… | Jun 19, 2026 | Jun 29, 2026 |
| CVE-2026-11769 | high | 8.8 | We have released version 5.24.0 of the Grafana Operator. This patch includes a CRITICAL severity sec… | Jun 13, 2026 | Jun 30, 2026 |
| CVE-2026-28374 | medium | 4.3 | Editors could delete any annotation, even those they do not have read access to. The editor user can… | May 13, 2026 | Jun 17, 2026 |
| CVE-2026-33378 | medium | 6.5 | Using the $__timeGroup macro, one can achieve an OOM by overloading the server. This requires a SQL … | May 13, 2026 | Jun 17, 2026 |
| CVE-2026-28383 | medium | 6.5 | A request to the Grafana plugin resources endpoint can cause unbounded memory allocation by reading … | May 13, 2026 | Jun 17, 2026 |
| CVE-2026-33376 | high | 7.4 | When using an IPv6 allow-list for the Auth Proxy feature, it defaults to /32 addresses. Addresses sp… | May 13, 2026 | Jun 17, 2026 |
| CVE-2026-33380 | medium | 6.3 | A vulnerability in SQL Expressions allows an authenticated attacker to read arbitrary files from the… | May 13, 2026 | Jun 17, 2026 |
| CVE-2026-28380 | medium | 6.5 | Any Editor could delete any snapshot, even if they have no access to read or write them. | May 13, 2026 | Jun 17, 2026 |
| CVE-2026-33381 | medium | 5.9 | When a user's access to mint tokens for a service account is revoked, it is sometimes still possible… | May 13, 2026 | Jun 17, 2026 |
| CVE-2026-33377 | high | 7.1 | An Editor can overwrite a dashboard not owned by them to acquire admin on that specific dashboard. T… | May 13, 2026 | Jun 17, 2026 |
| CVE-2026-28376 | medium | 6.5 | The Grafana Live push endpoint can be exploited to cause unbounded memory allocation by sending a la… | May 13, 2026 | Jun 17, 2026 |
| CVE-2026-28379 | medium | 6.5 | A race condition in Grafana Live allows authenticated users with Viewer role to trigger a server cra… | May 13, 2026 | Jun 17, 2026 |
| CVE-2026-21728 | high | 7.5 | Tempo queries with large limits can cause large memory allocations which can impact the availability… | Apr 24, 2026 | Jun 30, 2026 |
| CVE-2026-21726 | medium | 5.3 | The CVE-2021-36156 fix validates the namespace parameter for path traversal sequences after a single… | Apr 15, 2026 | Jun 17, 2026 |
| CVE-2025-41118 | critical | 9.1 | Pyroscope is an open-source continuous profiling database. The database supports various storage bac… | Apr 15, 2026 | Jun 30, 2026 |
| CVE-2026-21727 | low | 3.3 | ---
title: Cross-Tenant Legacy Correlation Disclosure and Deletion
draft: false
hero:
image: /stat… | Apr 15, 2026 | Jun 17, 2026 |
| CVE-2026-27879 | medium | 6.5 | A resample query can be used to trigger out-of-memory crashes in Grafana. | Mar 27, 2026 | Jun 17, 2026 |
| CVE-2026-28375 | medium | 6.5 | A testdata data-source can be used to trigger out-of-memory crashes in Grafana. | Mar 27, 2026 | Jun 17, 2026 |
| CVE-2026-27876 | critical | 9.1 | A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary … | Mar 27, 2026 | Jun 30, 2026 |
| CVE-2026-27880 | high | 7.5 | The OpenFeature feature toggle evaluation endpoint reads unbounded values into memory, which can cau… | Mar 27, 2026 | Jun 30, 2026 |