CVE Catalog

CVE-2026-28379

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.26%

17th percentile - higher than 17% of all known CVEs

Summary

A race condition in Grafana Live allows authenticated users with Viewer role to trigger a server crash by sending concurrent requests that cause a fatal map access error. This results in complete service unavailability requiring restart of the Grafana server.

Risk Assessment

The organization may experience downtime in the operation of the Grafana service, affecting data availability and potentially leading to a loss of user trust. In the event of an attack, users may be able to block the service, requiring administrative intervention.

Recommendation

It is recommended to restrict access to the Viewer role and monitor and limit the number of concurrent requests to the server. Additionally, consider upgrading to the latest version of Grafana to minimize the risk of this vulnerability.

Original NVD description (English source)

A race condition in Grafana Live allows authenticated users with Viewer role to trigger a server crash by sending concurrent requests that cause a fatal map access error. This results in complete service unavailability requiring restart of the Grafana server.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS