The Grafana OSS MSSQL data source plugin contains a logic flaw that enables a user with low privileges (Viewer) to circumvent API restrictions. This flaw can be exploited to trigger catastrophic memory exhaustion (Out-Of-Memory), resulting in the crash of the host container running Grafana. The vulnerability affects versions 11.6.0, 12.1.0, 12.2.0, 12.3.0, and 12.4.0. The CVSS 3.1 base score is 6.5, reflecting a network attack vector with low attack complexity and low privileges required, no user interaction, unchanged scope, no confidentiality or integrity impact, but high availability impact.

Successful exploitation leads to a denial-of-service condition by exhausting memory resources, causing the Grafana host container to crash. There is no direct impact on confidentiality or integrity, but availability of the Grafana service is severely affected.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict Viewer role assignments to trusted users and monitor for abnormal memory usage patterns. Avoid exposing the MSSQL data source plugin to untrusted users. Follow updates from Grafana for an official patch or workaround.