CVE-2026-28379
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk17th percentile - higher than 17% of all known CVEs
Summary
A race condition in Grafana Live allows authenticated users with Viewer role to trigger a server crash by sending concurrent requests that cause a fatal map access error. This results in complete service unavailability requiring restart of the Grafana server.
Risk Assessment
The organization may experience downtime in the operation of the Grafana service, affecting data availability and potentially leading to a loss of user trust. In the event of an attack, users may be able to block the service, requiring administrative intervention.
Recommendation
It is recommended to restrict access to the Viewer role and monitor and limit the number of concurrent requests to the server. Additionally, consider upgrading to the latest version of Grafana to minimize the risk of this vulnerability.
Original NVD description (English source)
A race condition in Grafana Live allows authenticated users with Viewer role to trigger a server crash by sending concurrent requests that cause a fatal map access error. This results in complete service unavailability requiring restart of the Grafana server.

