{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33375", "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "state": "PUBLISHED", "assignerShortName": "GRAFANA", "dateReserved": "2026-03-19T07:55:06.977Z", "datePublished": "2026-03-26T20:05:52.564Z", "dateUpdated": "2026-03-27T14:40:37.122Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "shortName": "GRAFANA", "dateUpdated": "2026-03-27T14:28:53.648Z"}, "datePublic": "2026-03-26T12:52:32.117Z", "title": "Grafana MSSQL Data Source Plugin: Restriction Bypass Leading to OOM DoS", "descriptions": [{"lang": "en", "value": "The Grafana MSSQL data source plugin contains a logic flaw that allows a low-privileged user (Viewer) to bypass API restrictions and trigger a catastrophic Out-Of-Memory (OOM) memory exhaustion, crashing the host container."}], "affected": [{"vendor": "Grafana", "product": "Grafana OSS", "platforms": ["OnPrem"], "defaultStatus": "unaffected", "versions": [{"version": "11.6.0", "status": "affected", "versionType": "semver", "lessThan": "11.6.14+security-01"}, {"version": "12.1.0", "status": "affected", "versionType": "semver", "lessThan": "12.1.10+security-01"}, {"version": "12.2.0", "status": "affected", "versionType": "semver", "lessThan": "12.2.8+security-01"}, {"version": "12.3.0", "status": "affected", "versionType": "semver", "lessThan": "12.3.6+security-01"}, {"version": "12.4.0", "status": "affected", "versionType": "semver", "lessThan": "12.4.2"}]}], "references": [{"url": "https://grafana.com/security/security-advisories/cve-2026-33375", "tags": ["vendor-advisory"]}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}}], "source": {"discovery": "BUG_BOUNTY"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-400", "lang": "en", "description": "CWE-400 Uncontrolled Resource Consumption"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T14:39:23.654250Z", "id": "CVE-2026-33375", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T14:40:37.122Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33375", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-27T14:39:23.654250Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T14:39:19.947Z"}}], "cna": {"title": "Grafana MSSQL Data Source Plugin: Restriction Bypass Leading to OOM DoS", "source": {"discovery": "BUG_BOUNTY"}, "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}}], "affected": [{"vendor": "Grafana", "product": "Grafana OSS", "versions": [{"status": "affected", "version": "11.6.0", "lessThan": "11.6.14+security-01", "versionType": "semver"}, {"status": "affected", "version": "12.1.0", "lessThan": "12.1.10+security-01", "versionType": "semver"}, {"status": "affected", "version": "12.2.0", "lessThan": "12.2.8+security-01", "versionType": "semver"}, {"status": "affected", "version": "12.3.0", "lessThan": "12.3.6+security-01", "versionType": "semver"}, {"status": "affected", "version": "12.4.0", "lessThan": "12.4.2", "versionType": "semver"}], "platforms": ["OnPrem"], "defaultStatus": "unaffected"}], "datePublic": "2026-03-26T12:52:32.117Z", "references": [{"url": "https://grafana.com/security/security-advisories/cve-2026-33375", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "cvelib 1.8.0"}, "descriptions": [{"lang": "en", "value": "The Grafana MSSQL data source plugin contains a logic flaw that allows a low-privileged user (Viewer) to bypass API restrictions and trigger a catastrophic Out-Of-Memory (OOM) memory exhaustion, crashing the host container."}], "providerMetadata": {"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "shortName": "GRAFANA", "dateUpdated": "2026-03-27T14:28:53.648Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33375", "state": "PUBLISHED", "dateUpdated": "2026-03-27T14:40:37.122Z", "dateReserved": "2026-03-19T07:55:06.977Z", "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "datePublished": "2026-03-26T20:05:52.564Z", "assignerShortName": "GRAFANA"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Grafana MSSQL data source plugin contains a logic flaw that allows a low-privileged user (Viewer) to bypass API restrictions and trigger a catastrophic Out-Of-Memory (OOM) memory exhaustion, crashing the host container."}, {"lang": "es", "value": "El plugin de fuente de datos de Grafana MSSQL contiene un fallo l\u00f3gico que permite a un usuario con pocos privilegios (Visor) eludir las restricciones de la API y desencadenar un agotamiento catastr\u00f3fico de la memoria por Out-Of-Memory (OOM), lo que provoca la ca\u00edda del contenedor anfitri\u00f3n."}], "id": "CVE-2026-33375", "lastModified": "2026-03-30T13:26:50.827", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security@grafana.com", "type": "Secondary"}]}, "published": "2026-03-26T21:17:05.573", "references": [{"source": "security@grafana.com", "url": "https://grafana.com/security/security-advisories/cve-2026-33375"}], "sourceIdentifier": "security@grafana.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "Grafana MSSQL Data Source Plugin: Grafana MSSQL Data Source Plugin: Denial of Service via Out-Of-Memory exhaustion", "id": "2451939", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451939"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-770", "details": ["A flaw was found in the Grafana MSSQL Data Source Plugin. A low-privileged user, such as a Viewer, can exploit a logic flaw to bypass API restrictions. This allows them to trigger a catastrophic Out-Of-Memory (OOM) memory exhaustion, leading to the crashing of the host container. This vulnerability can result in a Denial of Service (DoS) for the affected system."], "name": "CVE-2026-33375", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-26T20:05:52Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-33375\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33375\nhttps://grafana.com/security/security-advisories/cve-2026-33375"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": ["onprem"], "status": "affected", "versions": {"scheme": "semver", "value": "[11.6.0,11.6.14+security-01)"}}, {"platform": ["onprem"], "status": "affected", "versions": {"scheme": "semver", "value": "[12.1.0,12.1.10+security-01)"}}, {"platform": ["onprem"], "status": "affected", "versions": {"scheme": "semver", "value": "[12.2.0,12.2.8+security-01)"}}, {"platform": ["onprem"], "status": "affected", "versions": {"scheme": "semver", "value": "[12.3.0,12.3.6+security-01)"}}, {"platform": ["onprem"], "status": "affected", "versions": {"scheme": "semver", "value": "[12.4.0,12.4.2)"}}], "enrichment": {"confidence": 88.0, "confidence_source": "matching", "scores": [{"score": 88.0, "source": "matching"}]}, "original": {"product": "Grafana OSS", "source": "cna", "vendor": "Grafana"}, "product": "grafana", "vendor": "grafana"}], "analysis": {"en": {"generated_at": "2026-03-27T22:35:14.480916+00:00", "value": {"mitigation_remediation": ["Apply the vendor\u2019s patch or upgrade to a fixed Grafana OSS version as soon as it becomes available.", "If a patch is not yet available, restrict or disable Viewer-level API access to the MSSQL data source plugin.", "For installations where the MSSQL plugin is not essential, disable or remove the plugin entirely.", "Monitor container memory usage for abnormal consumption patterns and maintain regular backups of Grafana configurations to accelerate recovery if a DoS occurs."], "summary": {"action": "Immediate Patch", "impact": "Denial of Service via Out-Of-Memory exhaustion"}, "threat_synthesis": {"affected_systems": "Grafana OSS deployments that include the MSSQL data source plugin are potentially affected. No explicit version range is provided in the advisory, so any Grafana OSS installation with the plugin enabled should be considered at risk until a patch is applied.", "description_and_impact": "The Grafana MSSQL data source plugin contains a logic flaw that lets a low-privileged Viewer bypass API restrictions and trigger a catastrophic out-of-memory condition, causing the host container to crash. This flaw is a classic example of uncontrolled resource consumption and memory allocation abuse, identified as CWE-400 and CWE-770. The immediate effect is a denial of service that disrupts all users connected to the affected Grafana instance or any services running in the same container environment.", "risk_and_exploitability": "The CVSS score of 6.5 indicates moderate severity. The EPSS score of less than 1% suggests a low probability of exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a low-privileged Viewer who can access the plugin\u2019s API; exploitation requires only standard API access and does not need elevated privileges or remote code execution. The impact remains limited to service interruption rather than data theft or privilege escalation."}}}}, "created": "2026-03-27T08:32:10.856927+00:00", "updated": "2026-03-29T20:27:49.934145+00:00", "vendors": ["grafana", "grafana$PRODUCT$grafana"]}