BIT-grafana-2026-27880: OpenFeature evaluation API reads input data with no bounds
CVE-2026-27880 is a vulnerability in Grafana's OpenFeature feature toggle evaluation endpoint where unbounded input data is read into memory. This can lead to out-of-memory crashes, potentially causing denial of service. The issue affects multiple Grafana versions in the 12.x series prior to specific patch releases. No CVSS score is available, but the severity is assessed as high. There is no explicit vendor advisory patch information provided in the input data. The vulnerability is not related to a cloud service and no known exploits are reported in the wild.
AI Analysis
Technical Summary
The OpenFeature evaluation API in Grafana versions >=12.1.0 <12.1.10, >=12.2.0 <12.2.8, >=12.3.0 <12.3.6, and >=12.4.0 <12.4.2 reads input data without bounds into memory. This unbounded read can cause the application to consume excessive memory, leading to out-of-memory crashes. The vulnerability is categorized as high severity due to its potential to disrupt service availability. No CVSS score or explicit patch information is provided in the available data. The vendor advisory referenced (Red Hat) does not contain explicit remediation details in the provided excerpt.
Potential Impact
Successful exploitation of this vulnerability can cause Grafana to crash due to out-of-memory conditions, resulting in denial of service. There is no indication of code execution or data leakage. No known exploits are currently reported in the wild.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no explicit patch or workaround is provided in the available vendor advisory content, users should monitor official Grafana and Red Hat advisories for updates. Until a fix is applied, consider limiting input sizes or applying resource limits to mitigate potential crashes.
BIT-grafana-2026-27880: OpenFeature evaluation API reads input data with no bounds
Description
CVE-2026-27880 is a vulnerability in Grafana's OpenFeature feature toggle evaluation endpoint where unbounded input data is read into memory. This can lead to out-of-memory crashes, potentially causing denial of service. The issue affects multiple Grafana versions in the 12.x series prior to specific patch releases. No CVSS score is available, but the severity is assessed as high. There is no explicit vendor advisory patch information provided in the input data. The vulnerability is not related to a cloud service and no known exploits are reported in the wild.
Affected software
pkg:bitnami/grafanaRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The OpenFeature evaluation API in Grafana versions >=12.1.0 <12.1.10, >=12.2.0 <12.2.8, >=12.3.0 <12.3.6, and >=12.4.0 <12.4.2 reads input data without bounds into memory. This unbounded read can cause the application to consume excessive memory, leading to out-of-memory crashes. The vulnerability is categorized as high severity due to its potential to disrupt service availability. No CVSS score or explicit patch information is provided in the available data. The vendor advisory referenced (Red Hat) does not contain explicit remediation details in the provided excerpt.
Potential Impact
Successful exploitation of this vulnerability can cause Grafana to crash due to out-of-memory conditions, resulting in denial of service. There is no indication of code execution or data leakage. No known exploits are currently reported in the wild.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no explicit patch or workaround is provided in the available vendor advisory content, users should monitor official Grafana and Red Hat advisories for updates. Until a fix is applied, consider limiting input sizes or applying resource limits to mitigate potential crashes.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- BIT-grafana-2026-27880
- Osv Schema Version
- 1.6.2
- Aliases
- ["CVE-2026-27880"]
- Ecosystems
- ["Bitnami"]
- Database Specific Severity
- High
- Cvss Version
- null
Threat ID: 6a4c347b27e9c79719605d0a
Added to database: 07/06/2026, 23:04:27 UTC
Last enriched: 07/06/2026, 23:38:35 UTC
Last updated: 07/07/2026, 00:06:06 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.