CVE-2026-21720
Published: 27 January 2026
Summary
CVE-2026-21720 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Grafana Grafana. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Contingency plan testing includes resource exhaustion scenarios to verify recovery, making it harder for attackers to sustain exploits that cause uncontrolled consumption.
Updated contingency plans include current procedures to detect, contain, and recover from resource exhaustion, limiting an attacker's ability to sustain impact from uncontrolled consumption.
Resource consumption and denial-of-service testing performed under the assessment plan detects uncontrolled allocation paths that are subsequently fixed.
Cyber resiliency objectives explicitly include graceful handling of adverse conditions and exceptional states, reducing improper exception handling.
MTTF monitoring plus ready substitutes directly mitigate sustained resource exhaustion by allowing component swap before or at failure.
Limiting concurrent sessions directly prevents uncontrolled resource consumption by capping the number of active sessions per user or account.
Implements explicit check and handling for the exceptional condition of audit logging process failure.
Analysis identifies uncontrolled resource consumption indicative of denial-of-service or abuse attempts.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct exploitation of public-facing Grafana app via crafted requests to trigger unbounded goroutine/resource exhaustion and crash (CWE-400).
NVD Description
Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three seconds, the handler times out and stops listening for the result, so that goroutine blocks forever…
more
trying to send on an unbuffered channel. Sustained traffic with random hashes keeps tripping this timeout, so goroutine count grows linearly, eventually exhausting memory and causing Grafana to crash on some systems.
Deeper analysisAI
CVE-2026-21720 is a denial-of-service vulnerability in Grafana affecting the /avatar/:hash endpoint. Every uncached request to this endpoint spawns a goroutine to refresh the corresponding Gravatar image. When the refresh operation queues up in the 10-slot worker queue and exceeds the three-second handler timeout, the handler stops listening for the result, leaving the goroutine blocked indefinitely while attempting to send on an unbuffered channel. Under sustained traffic with random hashes, this repeatedly triggers timeouts, causing goroutine counts to grow linearly, exhausting memory and crashing Grafana instances on some systems. The issue maps to CWE-400 (Uncontrolled Resource Consumption) and CWE-703 (Improper Check or Handling of Exceptional Conditions), with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Any unauthenticated attacker with network access to a vulnerable Grafana instance can exploit this by sending a high volume of requests to /avatar/:hash with random or uncached hashes. This low-complexity attack requires no privileges or user interaction and leads to resource exhaustion, rendering the service unavailable through memory depletion and process crashes.
The official Grafana security advisory provides details on patches and mitigation steps at https://grafana.com/security/security-advisories/CVE-2026-21720.
Details
- CWE(s)