{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-21720","assignerOrgId":"57da9224-a3e2-4646-9d0e-c4dc2e05e7da","state":"PUBLISHED","assignerShortName":"GRAFANA","dateReserved":"2026-01-05T09:26:06.214Z","datePublished":"2026-01-27T09:07:04.758Z","dateUpdated":"2026-07-10T18:44:36.718Z"},"containers":{"cna":{"providerMetadata":{"orgId":"57da9224-a3e2-4646-9d0e-c4dc2e05e7da","shortName":"GRAFANA","dateUpdated":"2026-07-10T18:44:36.718Z"},"datePublic":"2026-01-27T09:03:09.893Z","title":"Unauthenticated DoS: avatar cache leaks goroutines when /avatar/:hash requests time out","descriptions":[{"lang":"en","value":"Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three seconds, the handler times out and stops listening for the result, so that goroutine blocks forever trying to send on an unbuffered channel. Sustained traffic with random hashes keeps tripping this timeout, so goroutine count grows linearly, eventually exhausting memory and causing Grafana to crash on some systems.","supportingMedia":[{"type":"text/markdown","value":"Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three seconds, the handler times out and stops listening for the result, so that goroutine blocks forever trying to send on an unbuffered channel. Sustained traffic with random hashes keeps tripping this timeout, so goroutine count grows linearly, eventually exhausting memory and causing Grafana to crash on some systems."}]}],"affected":[{"vendor":"Grafana","product":"grafana/grafana-enterprise","defaultStatus":"unaffected","versions":[{"version":"3.0.0","status":"affected","versionType":"semver","lessThan":"11.6.9"}]},{"vendor":"Grafana","product":"grafana/grafana-enterprise","defaultStatus":"unaffected","versions":[{"version":"3.0.0","status":"affected","versionType":"semver","lessThan":"12.0.8"}]},{"vendor":"Grafana","product":"grafana/grafana-enterprise","defaultStatus":"unaffected","versions":[{"version":"3.0.0","status":"affected","versionType":"semver","lessThan":"12.1.5"}]},{"vendor":"Grafana","product":"grafana/grafana","defaultStatus":"unaffected","versions":[{"version":"3.0.0","status":"affected","versionType":"semver","lessThan":"11.6.9"}]},{"vendor":"Grafana","product":"grafana/grafana","defaultStatus":"unaffected","versions":[{"version":"3.0.0","status":"affected","versionType":"semver","lessThan":"12.0.8"}]},{"vendor":"Grafana","product":"grafana/grafana","defaultStatus":"unaffected","versions":[{"version":"3.0.0","status":"affected","versionType":"semver","lessThan":"12.1.5"}]},{"vendor":"Grafana","product":"grafana/grafana-enterprise","defaultStatus":"unaffected","versions":[{"version":"3.0.0","status":"affected","versionType":"semver","lessThan":"12.2.3"}]},{"vendor":"Grafana","product":"grafana/grafana","defaultStatus":"unaffected","versions":[{"version":"3.0.0","status":"affected","versionType":"semver","lessThan":"12.2.3"}]},{"vendor":"Grafana","product":"grafana/grafana-enterprise","defaultStatus":"unaffected","versions":[{"version":"3.0.0","status":"affected","versionType":"semver","lessThan":"12.3.1"}]},{"vendor":"Grafana","product":"grafana/grafana","defaultStatus":"unaffected","versions":[{"version":"3.0.0","status":"affected","versionType":"semver","lessThan":"12.3.1"}]}],"references":[{"url":"https://grafana.com/security/security-advisories/cve-2026-21720","tags":["vendor-advisory"]}],"metrics":[{"cvssV3_1":{"version":"3.1","baseScore":7.5,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}}],"source":{"discovery":"BUG_BOUNTY"},"x_generator":{"engine":"cvelib 1.8.0"}},"adp":[{"problemTypes":[{"descriptions":[{"type":"CWE","cweId":"CWE-400","lang":"en","description":"CWE-400 Uncontrolled Resource Consumption"}]},{"descriptions":[{"type":"CWE","cweId":"CWE-703","lang":"en","description":"CWE-703 Improper Check or Handling of Exceptional Conditions"}]}],"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-01-27T14:28:02.795937Z","id":"CVE-2026-21720","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-01-27T14:29:08.671Z"}},{"affected":[{"cpes":["cpe:/a:redhat:ceph_storage:7"],"defaultStatus":"unaffected","product":"Red Hat Ceph Storage 7","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:ceph_storage:8"],"defaultStatus":"unaffected","product":"Red Hat Ceph Storage 8","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:10"],"defaultStatus":"unaffected","product":"Red Hat Enterprise Linux 10","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:8"],"defaultStatus":"unaffected","product":"Red Hat Enterprise Linux 8","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:9"],"defaultStatus":"unaffected","product":"Red Hat Enterprise Linux 9","vendor":"Red Hat"}],"datePublic":"2026-01-27T09:07:04.758Z","descriptions":[{"lang":"en","value":"A flaw was found in Grafana. A remote attacker can exploit this vulnerability by sending a sustained volume of uncached /avatar/:hash requests. This action causes the system to create and block goroutines, which are lightweight concurrent functions, leading to a continuous increase in memory usage. Over time, this resource exhaustion can cause Grafana to crash, resulting in a Denial of Service (DoS)."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Important"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-772","description":"Missing Release of Resource after Effective Lifetime","lang":"en","type":"CWE"}]}],"references":[{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2026-21720"},{"name":"RHBZ#2433226","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2433226"},{"tags":["x_sadp-csaf-vex"],"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-21720.json"}],"timeline":[{"lang":"en","time":"2026-01-27T10:01:10.677Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-01-27T09:07:04.758Z","value":"Made public."}],"title":"grafana: Grafana: Denial of Service via resource exhaustion from avatar requests","x_adpType":"supplier","x_generator":{"engine":"sadp-cli 1.0.0"},"providerMetadata":{"orgId":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","shortName":"redhat-SADP","dateUpdated":"2026-06-30T12:06:49.515Z"}}]}}