Cyber Posture

CVE-2026-27880

High

Published: 27 March 2026

Published
27 March 2026
Modified
10 May 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0002 6.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-27880 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Grafana Grafana. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Validates feature toggle evaluation endpoint inputs to enforce bounds on value sizes, preventing unbounded memory reads that cause out-of-memory crashes.

SC-5 Denial-of-service Protection good match
preventdetect

Protects against denial-of-service events like memory exhaustion by limiting effects of unbounded input processing in the OpenFeature endpoint.

SC-6 Resource Availability good match
prevent

Enforces resource limits on memory allocation during endpoint evaluation to mitigate out-of-memory conditions from large inputs.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
Why these techniques?

Unauthenticated remote exploitation of public-facing Grafana endpoint causes application crash via memory exhaustion, directly enabling T1190 (Exploit Public-Facing Application) for initial access/impact and T1499.004 (Application or System Exploitation) under Endpoint Denial of Service.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

The OpenFeature feature toggle evaluation endpoint reads unbounded values into memory, which can cause out-of-memory crashes.

Deeper analysisAI

CVE-2026-27880 is a vulnerability in the OpenFeature feature toggle evaluation endpoint within Grafana that allows attackers to read unbounded values into memory, resulting in out-of-memory crashes. Published on 2026-03-27, it has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is associated with CWE-787 (Out-of-bounds Write).

Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required. Successful exploitation leads to high-impact denial of service by triggering out-of-memory conditions that crash the affected Grafana instance.

The Grafana security advisory provides details on this issue, available at https://grafana.com/security/security-advisories/cve-2026-27880.

Details

CWE(s)
CWE-787CWE-125

Affected Products

grafana
grafana
≤ 12.1.0 · 12.1.10 — 12.2.0 · 12.2.8 — 12.3.0

CVEs Like This One

CVE-2026-21720Same product: Grafana Grafana
CVE-2026-27876Same product: Grafana Grafana
CVE-2026-27877Same product: Grafana Grafana
CVE-2026-21721Same product: Grafana Grafana
CVE-2025-41118Same vendor: Grafana
CVE-2026-28377Same vendor: Grafana
CVE-2026-28693Shared CWE-125, CWE-787
CVE-2026-32319Shared CWE-125
CVE-2026-25990Shared CWE-787
CVE-2026-32877Shared CWE-125

References