Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN509
_____________________________________________________________________

DATE                : 18/05/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Grafana versions prior to 
          11.6.14+security-04, 12.2.8+security-04, 12.3.6+security-04,
                    12.4.3+security-02, 13.0.1+security-01.

=====================================================================
https://grafana.com/security/security-advisories/cve-2026-28376/
_____________________________________________________________________

Grafana Live push endpoint allows unbounded memory allocation leading
to OOM

Medium
Advisory ID:	CVE-2026-28376
Published:	2026-05-13
Product:	Grafana
CVSS Score:	6.5
CVSS Vector:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Fixed Versions:	
>=11.6.14+security-04
>=12.2.8+security-04
>=12.3.6+security-04
>=12.4.3+security-02
>=13.0.1+security-01


Summary

The Grafana Live push endpoint can be exploited to cause unbounded
memory allocation by sending a large or streaming request body,
potentially leading to out-of-memory conditions. An authenticated
user with access to the Grafana Live API can trigger this issue.


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================