CVE-2026-21720 is a denial-of-service vulnerability affecting Grafana Enterprise version 3.0.0. The issue arises from the way Grafana handles requests to /avatar/:hash endpoints, which are used to fetch Gravatar images. Each uncached request spawns a goroutine responsible for refreshing the Gravatar image. These goroutines communicate results via unbuffered channels. If the goroutine is queued in a 10-slot worker queue for longer than three seconds, the HTTP handler times out and stops listening for the result. However, the goroutine continues running and attempts to send data on the unbuffered channel, which blocks indefinitely because the receiver is no longer active. This leads to goroutine leaks that accumulate linearly with sustained traffic containing random hashes. Over time, the growing number of blocked goroutines exhausts system memory, causing Grafana to crash. The vulnerability is remotely exploitable without authentication or user interaction, making it a network-exploitable denial-of-service (DoS) vector. The CVSS 3.1 score is 7.5 (high), reflecting the ease of exploitation and impact on availability. The underlying weaknesses correspond to CWE-400 (Uncontrolled Resource Consumption) and CWE-703 (Improper Check or Handling of Exceptional Conditions). No patches or exploits in the wild are currently reported, but the issue poses a significant risk to service stability in affected environments.

This vulnerability primarily impacts the availability of Grafana Enterprise 3.0.0 instances by causing memory exhaustion and crashes due to goroutine leaks. Organizations relying on Grafana for monitoring, visualization, and alerting may experience service outages, leading to loss of visibility into critical infrastructure and applications. This can delay incident detection and response, increasing operational risk. The vulnerability does not affect confidentiality or integrity but can indirectly impact business continuity and operational efficiency. Attackers can exploit this remotely without authentication, making it a low-barrier denial-of-service vector. Large-scale or sustained exploitation could disrupt monitoring platforms across enterprises, managed service providers, and cloud environments. Systems with limited memory or high traffic volumes are particularly vulnerable. The lack of known exploits in the wild suggests limited current exploitation, but the ease of triggering the issue warrants proactive mitigation.

To mitigate CVE-2026-21720, organizations should first upgrade Grafana Enterprise to a version where this issue is fixed once available. In the absence of an official patch, administrators can implement several practical controls: 1) Limit or block external access to the /avatar/:hash endpoint using web application firewalls (WAFs) or reverse proxies to reduce exposure to malicious requests with random hashes. 2) Implement rate limiting on avatar requests to prevent sustained high-volume traffic that triggers goroutine leaks. 3) Monitor Grafana server metrics for abnormal goroutine counts and memory usage to detect early signs of exploitation. 4) Consider disabling Gravatar integration if it is not essential to reduce attack surface. 5) Deploy Grafana instances behind network controls that restrict traffic to trusted sources. 6) Regularly review and update Grafana configurations to minimize unnecessary features that may be exploited. These targeted mitigations complement standard security hygiene and help maintain service availability until an official patch is released.