CVE-2026-28376 Overview
CVE-2026-28376 is a denial-of-service vulnerability affecting the Grafana Live push endpoint. The endpoint accepts request bodies without enforcing a size limit, allowing an authenticated user to trigger unbounded memory allocation. Sending a large or streaming request body forces the server to consume memory until out-of-memory conditions occur.
The issue requires valid authentication and access to the Grafana Live API. Successful exploitation degrades or terminates the Grafana service, impacting availability for all users of the instance.
Critical Impact
An authenticated user can crash the Grafana process by submitting oversized or streaming payloads to the Live push endpoint, producing a service outage for the affected instance.
Affected Products
- Grafana (Grafana Live component)
- Refer to the Grafana Security Advisory CVE-2026-28376 for the exact affected version ranges
- Self-hosted and managed Grafana deployments exposing the Live push endpoint
Discovery Timeline
- 2026-05-13 - CVE-2026-28376 published to the National Vulnerability Database (NVD)
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-28376
Vulnerability Analysis
Grafana Live is the real-time messaging subsystem in Grafana that streams data between the server and connected clients over WebSocket and HTTP. The push endpoint accepts data publishes from external producers, normally used to forward metrics or events into live channels.
The vulnerability stems from the absence of a size cap on the HTTP request body processed by the push handler. When the server reads a large or chunked streaming body, it allocates memory proportional to the input without bounded buffering or back-pressure. A single request can therefore exhaust the heap and trigger an out-of-memory termination of the Grafana process.
This is a resource exhaustion denial-of-service issue [CWE-770]. Exploitation does not require administrative privileges, only an authenticated session with permission to call the Grafana Live API. Confidentiality and integrity are not affected; the impact is entirely on availability.
Root Cause
The push endpoint reads request bodies into memory without enforcing a maximum content length or applying streaming chunk limits. The handler trusts the client to provide a bounded payload.
Attack Vector
The attacker authenticates to Grafana, then issues an HTTP request to the Live push endpoint carrying either a very large Content-Length body or an indefinitely streamed chunked body. The server allocates buffers as data arrives and eventually exhausts available memory.
No verified proof-of-concept code has been published. See the Grafana Security Advisory CVE-2026-28376 for vendor-supplied technical details.
Detection Methods for CVE-2026-28376
Indicators of Compromise
- Grafana process restarts or OOM-killer entries in system logs (dmesg, journalctl) coinciding with traffic to Live push endpoints
- HTTP access logs showing unusually large or long-lived POST requests to Grafana Live push URLs
- Sudden spikes in resident memory usage by the grafana-server process without a matching increase in dashboard or query load
Detection Strategies
- Alert on HTTP requests to Grafana Live push paths with Content-Length exceeding an organizational threshold or with chunked transfer encoding from non-trusted clients
- Correlate Grafana service restarts with the authenticated user identity issuing the most recent push requests
- Baseline normal Grafana memory consumption and trigger on rapid growth or repeated OOM terminations
Monitoring Recommendations
- Forward Grafana access logs, audit logs, and host-level OOM events to a centralized log platform for correlation
- Track per-user API call volume and payload size against the Grafana Live push endpoint
- Monitor reverse-proxy metrics (NGINX, HAProxy) for request body size distributions in front of Grafana
How to Mitigate CVE-2026-28376
Immediate Actions Required
- Upgrade Grafana to the fixed version specified in the Grafana Security Advisory CVE-2026-28376
- Audit accounts with access to the Grafana Live API and revoke unnecessary permissions
- Place Grafana behind a reverse proxy that enforces a maximum request body size
Patch Information
Grafana Labs has published remediation guidance and fixed releases in the Grafana Security Advisory CVE-2026-28376. Apply the vendor patch for the affected release branch in use.
Workarounds
- Restrict network access to the Grafana Live push endpoint to trusted source ranges only
- Configure a reverse proxy (NGINX client_max_body_size, HAProxy http-request deny if { req.body_size gt ... }) to reject oversized requests before they reach Grafana
- Disable Grafana Live where it is not required, or revoke the API permission from non-essential service accounts
# Example NGINX reverse proxy limit for the Grafana Live push endpoint
location /api/live/push {
client_max_body_size 1m;
client_body_buffer_size 64k;
proxy_request_buffering on;
proxy_pass http://grafana_upstream;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
