LiveActive security incident?Get immediate response
CVE Record

CVE-2026-28379: Viewer-triggered race condition in Grafana Live leads to complete server crash

A race condition in Grafana Live allows authenticated users with Viewer role to trigger a server crash by sending concurrent requests that cause a fatal map access error. This results in complete service unavailability requiring restart of the Grafana server.

MediumCVSS 6.5Not KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

Any logged-in Grafana user, even one with the lowest-privilege Viewer role, can crash the entire Grafana server by sending overlapping requests to the Live real-time feature. The server becomes fully unavailable until an administrator restarts it, disrupting dashboards, alerts, and monitoring workflows that teams rely on to run the business.

Executive priority

Treat as a scheduled patch this cycle. Impact is service outage of a monitoring platform, not data loss, but Grafana downtime can blind operations and incident response. Prioritize any internet-facing or multi-tenant Grafana ahead of internal single-team deployments.

Technical view

A race condition (CWE-362) in Grafana Live permits concurrent authenticated requests to trigger a fatal concurrent map access, terminating the Grafana process. CVSS 3.1 is 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) — network-reachable, low complexity, requires Viewer-level authentication, and yields high availability impact with no confidentiality or integrity loss. Affected versions are enumerated in the Grafana advisory.

Likely exposure

Internet-exposed Grafana OSS instances that permit self-service or shared Viewer accounts face the broadest exposure. Internal deployments where any employee, contractor, or SSO-provisioned user can obtain a Viewer login are also within scope. Instances that disable Grafana Live or restrict authentication reduce reachability significantly.

Exploitation context

Not listed in CISA KEV; the vendor advisory does not cite in-the-wild exploitation as of the July 2026 update. Exploitation requires only Viewer credentials and network reach to Grafana Live, so the bar is low for insiders or shared demo accounts. Impact is denial of service, not data disclosure or code execution.

Researcher notes

CWE-362 concurrent map access in Grafana Live is triggerable by low-privilege authenticated users; reproduction likely involves concurrent WebSocket or streaming requests. Affected list spans 8.2.0 through 13.0.1 across multiple release trains, suggesting the defect predates recent Live refactors. Confirm the fixed version in the vendor advisory before closing tickets; no CPEs were published in the CVE record.

Mitigation direction

  • Review the Grafana security advisory and upgrade to a fixed release identified there.
  • Restrict Grafana Live exposure via network controls or reverse-proxy rules where feasible.
  • Audit Viewer accounts and disable stale, shared, or self-registered users.
  • Ensure Grafana runs under a supervisor (systemd, Kubernetes) that auto-restarts after crash.
  • Monitor Grafana process logs for panic and concurrent-map-access signatures.

Validation and detection

  • Inventory Grafana OSS instances and compare running versions to the advisory's affected list.
  • Confirm patched build reports the fixed version via /api/health and admin UI.
  • Verify Grafana Live endpoints are reachable only through expected authentication paths.
  • Check crash-loop or restart telemetry for prior unexplained Grafana terminations.
  • Track advisory updates for any revised fix guidance or KEV additions.
Prepared
Confidence
medium
Sources
3

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-362: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2026-28379 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Medium
CVSS
6.5 (3.1)
Known Exploited
No
Published

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
3Timeline events
1ADP providers
2Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
6.5CVSS 3.1MediumCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H2.83.6GRAFANA

Vulnerability scoring details

Base CVSS 3.1 score

6.5Medium
CVSS 3.1 vector shape for CVE-2026-28379Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc

Source materials

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
GrafanaGrafana OSS8.2.0, 11.6.14, 12.0.0, 12.2.8, 12.3.0, 12.3.6, 12.4.0, 12.4.3, 13.0.0, 13.0.1unaffected
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-362 · source CWE mapping

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.