{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33375", "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "state": "PUBLISHED", "assignerShortName": "GRAFANA", "dateReserved": "2026-03-19T07:55:06.977Z", "datePublished": "2026-03-26T20:05:52.564Z", "dateUpdated": "2026-03-27T14:28:53.648Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "shortName": "GRAFANA", "dateUpdated": "2026-03-27T14:28:53.648Z"}, "datePublic": "2026-03-26T12:52:32.117Z", "title": "Grafana MSSQL Data Source Plugin: Restriction Bypass Leading to OOM DoS", "descriptions": [{"lang": "en", "value": "The Grafana MSSQL data source plugin contains a logic flaw that allows a low-privileged user (Viewer) to bypass API restrictions and trigger a catastrophic Out-Of-Memory (OOM) memory exhaustion, crashing the host container."}], "affected": [{"vendor": "Grafana", "product": "Grafana OSS", "platforms": ["OnPrem"], "defaultStatus": "unaffected", "versions": [{"version": "11.6.0", "status": "affected", "versionType": "semver", "lessThan": "11.6.14+security-01"}, {"version": "12.1.0", "status": "affected", "versionType": "semver", "lessThan": "12.1.10+security-01"}, {"version": "12.2.0", "status": "affected", "versionType": "semver", "lessThan": "12.2.8+security-01"}, {"version": "12.3.0", "status": "affected", "versionType": "semver", "lessThan": "12.3.6+security-01"}, {"version": "12.4.0", "status": "affected", "versionType": "semver", "lessThan": "12.4.2"}]}], "references": [{"url": "https://grafana.com/security/security-advisories/cve-2026-33375", "tags": ["vendor-advisory"]}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}}], "source": {"discovery": "BUG_BOUNTY"}, "x_generator": {"engine": "cvelib 1.8.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Grafana MSSQL data source plugin contains a logic flaw that allows a low-privileged user (Viewer) to bypass API restrictions and trigger a catastrophic Out-Of-Memory (OOM) memory exhaustion, crashing the host container."}], "id": "CVE-2026-33375", "lastModified": "2026-03-26T21:17:05.573", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security@grafana.com", "type": "Secondary"}]}, "published": "2026-03-26T21:17:05.573", "references": [{"source": "security@grafana.com", "url": "https://grafana.com/security/security-advisories/cve-2026-33375"}], "sourceIdentifier": "security@grafana.com", "vulnStatus": "Received"}

{"bugzilla": {"description": "Grafana MSSQL Data Source Plugin: Grafana MSSQL Data Source Plugin: Denial of Service via Out-Of-Memory exhaustion", "id": "2451939", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451939"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-770", "details": ["A flaw was found in the Grafana MSSQL Data Source Plugin. A low-privileged user, such as a Viewer, can exploit a logic flaw to bypass API restrictions. This allows them to trigger a catastrophic Out-Of-Memory (OOM) memory exhaustion, leading to the crashing of the host container. This vulnerability can result in a Denial of Service (DoS) for the affected system."], "name": "CVE-2026-33375", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-26T20:05:52Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-33375\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33375\nhttps://grafana.com/security/security-advisories/cve-2026-33375"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": ["onprem"], "status": "affected", "versions": {"scheme": "semver", "value": "[11.6.0,11.6.14+security-01)"}}, {"platform": ["onprem"], "status": "affected", "versions": {"scheme": "semver", "value": "[12.1.0,12.1.10+security-01)"}}, {"platform": ["onprem"], "status": "affected", "versions": {"scheme": "semver", "value": "[12.2.0,12.2.8+security-01)"}}, {"platform": ["onprem"], "status": "affected", "versions": {"scheme": "semver", "value": "[12.3.0,12.3.6+security-01)"}}, {"platform": ["onprem"], "status": "affected", "versions": {"scheme": "semver", "value": "[12.4.0,12.4.2)"}}], "enrichment": {"confidence": 88.0, "confidence_source": "matching", "scores": [{"score": 88.0, "source": "matching"}]}, "original": {"product": "Grafana OSS", "source": "cna", "vendor": "Grafana"}, "product": "grafana", "vendor": "grafana"}], "analysis": {"en": {"generated_at": "2026-03-26T21:21:10.224418+00:00", "value": {"mitigation_remediation": ["Upgrade to the patched version of Grafana OSS as described in the vendor advisory.", "If an upgrade is not immediately possible, disable the MSSQL data source plugin or restrict Viewer users from accessing the relevant API endpoints.", "Monitor container memory usage for sudden spikes and set alerts for high memory consumption.", "Verify that other services running in the same container are isolated to limit the impact of a crash."], "summary": {"action": "Immediate Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "All Grafana OSS deployments that use the MSSQL data source plugin are affected. Vendor and product information is listed as Grafana OSS; specific product versions are not disclosed in the advisory, so any instance with the plugin should be considered at risk until a patch is applied.", "description_and_impact": "The Grafana MSSQL data source plugin has a logic flaw that lets a Viewer\u2011level user bypass API restrictions and cause the system to consume all available memory, leading to an out\u2011of\u2011memory crash of the host container. The vulnerability therefore results in a denial\u2011of\u2011service condition, disrupting site availability without affecting the confidentiality of data. The underlying weakness is a lack of proper privilege enforcement in the API layer.", "risk_and_exploitability": "The CVSS score of 6.5 indicates moderate severity. EPSS data is not available, and the vulnerability is not currently listed in the CISA KEV catalog. The likely attack vector is exploitation of the Grafana API by a low\u2011privileged Viewer user; the user only needs access permissions to the Grafana instance and to invoke the API that triggers memory allocation. Once triggered, the container will crash, causing downtime for the service."}}}}, "created": "2026-03-27T08:32:10.856927+00:00", "updated": "2026-03-27T09:23:39.164183+00:00", "vendors": ["grafana", "grafana$PRODUCT$grafana"], "weaknesses": ["CWE-640", "CWE-788"]}