CVE-2026-28379: Viewer-triggered race condition in Grafana Live leads to complete server crash
A race condition in Grafana Live allows authenticated users with Viewer role to trigger a server crash by sending concurrent requests that cause a fatal map access error. This results in complete service unavailability requiring restart of the Grafana server.
Security readout for executives and security teams
Plain-English summary
Any logged-in Grafana user, even one with the lowest-privilege Viewer role, can crash the entire Grafana server by sending overlapping requests to the Live real-time feature. The server becomes fully unavailable until an administrator restarts it, disrupting dashboards, alerts, and monitoring workflows that teams rely on to run the business.
Executive priority
Treat as a scheduled patch this cycle. Impact is service outage of a monitoring platform, not data loss, but Grafana downtime can blind operations and incident response. Prioritize any internet-facing or multi-tenant Grafana ahead of internal single-team deployments.
Technical view
A race condition (CWE-362) in Grafana Live permits concurrent authenticated requests to trigger a fatal concurrent map access, terminating the Grafana process. CVSS 3.1 is 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) — network-reachable, low complexity, requires Viewer-level authentication, and yields high availability impact with no confidentiality or integrity loss. Affected versions are enumerated in the Grafana advisory.
Likely exposure
Internet-exposed Grafana OSS instances that permit self-service or shared Viewer accounts face the broadest exposure. Internal deployments where any employee, contractor, or SSO-provisioned user can obtain a Viewer login are also within scope. Instances that disable Grafana Live or restrict authentication reduce reachability significantly.
Exploitation context
Not listed in CISA KEV; the vendor advisory does not cite in-the-wild exploitation as of the July 2026 update. Exploitation requires only Viewer credentials and network reach to Grafana Live, so the bar is low for insiders or shared demo accounts. Impact is denial of service, not data disclosure or code execution.
Researcher notes
CWE-362 concurrent map access in Grafana Live is triggerable by low-privilege authenticated users; reproduction likely involves concurrent WebSocket or streaming requests. Affected list spans 8.2.0 through 13.0.1 across multiple release trains, suggesting the defect predates recent Live refactors. Confirm the fixed version in the vendor advisory before closing tickets; no CPEs were published in the CVE record.
Mitigation direction
Review the Grafana security advisory and upgrade to a fixed release identified there.
Restrict Grafana Live exposure via network controls or reverse-proxy rules where feasible.
Audit Viewer accounts and disable stale, shared, or self-registered users.
Ensure Grafana runs under a supervisor (systemd, Kubernetes) that auto-restarts after crash.
Monitor Grafana process logs for panic and concurrent-map-access signatures.
Validation and detection
Inventory Grafana OSS instances and compare running versions to the advisory's affected list.
Confirm patched build reports the fixed version via /api/health and admin UI.
Verify Grafana Live endpoints are reachable only through expected authentication paths.
Check crash-loop or restart telemetry for prior unexplained Grafana terminations.
Track advisory updates for any revised fix guidance or KEV additions.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-362: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-362 · source CWE mapping
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.