Cyber Resilience

CVE-2026-21720

HighDDoS

Published: 27 January 2026

Published
27 January 2026
Modified
17 February 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0004 11.1th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-21720 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Grafana Grafana. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Deeper analysis

CVE-2026-21720 is a denial-of-service vulnerability in Grafana affecting the /avatar/:hash endpoint. Every uncached request to this endpoint spawns a goroutine to refresh the corresponding Gravatar image. When the refresh operation queues up in the 10-slot worker queue and exceeds the three-second handler timeout, the handler stops listening for the result, leaving the goroutine blocked indefinitely while attempting to send on an unbuffered channel. Under sustained traffic with random hashes, this repeatedly triggers timeouts, causing goroutine counts to grow linearly, exhausting memory and crashing Grafana instances on some systems. The issue maps to CWE-400 (Uncontrolled Resource Consumption) and CWE-703 (Improper Check or Handling of Exceptional Conditions), with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

Any unauthenticated attacker with network access to a vulnerable Grafana instance can exploit this by sending a high volume of requests to /avatar/:hash with random or uncached hashes. This low-complexity attack requires no privileges or user interaction and leads to resource exhaustion, rendering the service unavailable through memory depletion and process crashes.

The official Grafana security advisory provides details on patches and mitigation steps at https://grafana.com/security/security-advisories/CVE-2026-21720.

EU & UK References

Vulnerability details

Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three seconds, the handler times out and stops listening for the result, so that goroutine blocks forever…

more

trying to send on an unbuffered channel. Sustained traffic with random hashes keeps tripping this timeout, so goroutine count grows linearly, eventually exhausting memory and causing Grafana to crash on some systems.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Direct exploitation of public-facing Grafana app via crafted requests to trigger unbounded goroutine/resource exhaustion and crash (CWE-400).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-27880Same product: Grafana Grafana
CVE-2026-33376Same product: Grafana Grafana
CVE-2026-27876Same product: Grafana Grafana
CVE-2026-27877Same product: Grafana Grafana
CVE-2026-21721Same product: Grafana Grafana
CVE-2026-33377Same product: Grafana Grafana
CVE-2025-41118Same vendor: Grafana
CVE-2026-28377Same vendor: Grafana
CVE-2026-39304Shared CWE-400
CVE-2025-27669Shared CWE-400

Affected Assets

grafana
grafana
12.3.0 · 3.0.0 — 11.6.9 · 3.0.0 — 11.6.9 · 12.0.0 — 12.0.8

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SC-5 enforces denial-of-service protections at entry points like the /avatar/:hash endpoint to block high-volume requests that trigger goroutine exhaustion.

prevent

SC-6 allocates and limits system resources such as memory and processes per user or request to prevent linear goroutine growth leading to exhaustion.

prevent

SI-2 requires timely flaw remediation including patching the specific vulnerability causing blocked goroutines on timeout in Grafana.

References