{"id":"CVE-2026-33375","summary":"Grafana MSSQL Data Source Plugin: Restriction Bypass Leading to OOM DoS","details":"The Grafana MSSQL data source plugin contains a logic flaw that allows a low-privileged user (Viewer) to bypass API restrictions and trigger a catastrophic Out-Of-Memory (OOM) memory exhaustion, crashing the host container.","aliases":["BIT-grafana-2026-33375"],"modified":"2026-06-05T10:59:08.615518135Z","published":"2026-03-26T20:05:52.564Z","related":["CGA-3r6v-rxmj-3782","SUSE-SU-2026:2243-1","SUSE-SU-2026:2258-1","SUSE-SU-2026:2265-1","openSUSE-SU-2026:10601-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33375.json","cna_assigner":"GRAFANA","unresolved_ranges":[{"source":"AFFECTED_FIELD","extracted_events":[{"introduced":"11.6.0"},{"fixed":"11.6.14+security-01"},{"introduced":"12.1.0"},{"fixed":"12.1.10+security-01"},{"introduced":"12.2.0"},{"fixed":"12.2.8+security-01"},{"introduced":"12.3.0"},{"fixed":"12.3.6+security-01"},{"introduced":"12.4.0"},{"fixed":"12.4.2"}]}]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33375.json"},{"type":"ADVISORY","url":"https://grafana.com/security/security-advisories/cve-2026-33375"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33375"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/grafana/grafana","events":[{"introduced":"d2fdff9ee4d75c74bfd3a97c18a0b8e4d029f06e"},{"fixed":"4da40799451631e6c8591c841282447cdf55be3d"},{"introduced":"ccd7b6ce7ea6184b8c7eb1de044174147dd9a648"},{"fixed":"619bd51f27dc73c6ccfa4442cd5d05addaa70ed9"},{"introduced":"92f1fba9b4b6700328e99e97328d6639df8ddc3d"},{"fixed":"576f2e81b33bc857df779c95cb38effaa6c58b03"},{"introduced":"20051fb1fc604fc54aae76356da1c14612af41d0"},{"fixed":"3b85eb0d9490f36d682e4fe55684f7da7b8b99b6"},{"introduced":"d1729c53a7f44e2e58947eb44eb896c2fb1c30b3"},{"fixed":"ebade4c739e1aface4ce094934ad85374887a680"}],"database_specific":{"source":"CPE_RANGE","extracted_events":[{"introduced":"11.6.0"},{"fixed":"11.6.14"},{"introduced":"12.1.0"},{"fixed":"12.1.10"},{"introduced":"12.2.0"},{"fixed":"12.2.8"},{"introduced":"12.3.0"},{"fixed":"12.3.6"},{"introduced":"12.4.0"},{"fixed":"12.4.2"}],"cpe":"cpe:2.3:a:grafana:grafana:*:*:*:*:-:*:*:*"}}],"versions":["v11.6.13","v12.1.9","v11.6.12","v12.1.8","v12.1.7","v11.6.11","v12.1.6","v11.6.10","v12.1.5","v11.6.9","v11.6.8","v12.1.4","v12.1.3","v11.6.7","v12.1.2","v11.6.6","v12.1.1","v11.6.5","v11.6.4","v12.1.0","v11.6.2","v11.6.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-33375.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}]}