Grafana Denial-of-Service Vulnerability via Uncached Avatar Requests

Vulnerability

A denial-of-service vulnerability has been identified in Grafana. When an uncached avatar request is made, it triggers a goroutine to refresh the Gravatar image. If this refresh takes longer than three seconds in the 10-slot worker queue, the handler times out and stops waiting for the result. Consequently, the goroutine becomes blocked indefinitely, trying to send data on an unbuffered channel. This issue can be exploited by sending sustained traffic with random hashes, causing the goroutine count to increase linearly. Eventually, this growth exhausts system memory, leading Grafana to crash on certain systems.

Impact

Exploitation of this vulnerability causes Grafana to crash, exhausting system memory and disrupting service.

Added: Jan 27, 2026, 9:41 AM

Updated: Jan 27, 2026, 3:45 PM

Vulnerability Rating

Custom Algorithm

spread

6.2

impact

2.5

exploitability

7.0

remediation

0.0

relevance

2.3

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.2

impact

2.5

exploitability

7.0

remediation

0.0

relevance

2.3

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Grafana Denial-of-Service Vulnerability via Uncached Avatar Requests

Vulnerability

Impact

Affected Products

Grafana

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating