CVE-2026-33375 is a logic flaw identified in the MSSQL data source plugin of Grafana OSS, a widely used open-source analytics and monitoring platform. The vulnerability allows a user with Viewer-level privileges—typically a low-privileged role intended only for dashboard viewing—to bypass API restrictions designed to limit resource-intensive operations. By exploiting this flaw, the attacker can trigger a catastrophic Out-Of-Memory (OOM) condition within the host container running Grafana, leading to a crash and denial of service. This is achieved without requiring user interaction and without escalating privileges beyond the Viewer role. The affected versions include Grafana OSS 11.6.0 and versions 12.1.0 through 12.4.0. The vulnerability impacts availability exclusively, as it does not allow unauthorized data access or modification. The CVSS v3.1 base score is 6.5, with vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating network attack vector, low attack complexity, low privileges required, no user interaction, unchanged scope, no confidentiality or integrity impact, and high impact on availability. No public exploits or active exploitation have been reported to date. The flaw stems from improper validation or control logic within the MSSQL plugin's API handling, allowing resource exhaustion attacks by low-privileged users. This vulnerability is particularly concerning in containerized environments where Grafana is deployed, as the OOM crash can disrupt monitoring and analytics services critical for operational awareness.

The primary impact of CVE-2026-33375 is a denial-of-service condition caused by an Out-Of-Memory crash of the Grafana host container. This can disrupt monitoring dashboards and analytics, potentially blinding operational teams to system health and security events. Organizations relying on Grafana OSS for real-time monitoring of infrastructure, applications, or security events may experience service outages or delayed incident response. Although the vulnerability does not expose sensitive data or allow data tampering, the loss of availability can have cascading effects on operational continuity and incident management. Attackers with low-level access can exploit this flaw remotely over the network without user interaction, increasing the risk of automated or large-scale exploitation attempts. The impact is heightened in environments where Grafana is deployed as a critical component of observability stacks, especially in containerized or cloud-native infrastructures. The absence of known exploits in the wild reduces immediate risk but does not eliminate the potential for future attacks. Organizations that do not promptly address this vulnerability may face increased risk of service disruption and operational impact.

To mitigate CVE-2026-33375, organizations should prioritize upgrading Grafana OSS to versions that address this vulnerability once patches are released. In the absence of official patches, administrators can implement temporary controls such as restricting Viewer role assignments to trusted users only and monitoring for unusual API usage patterns indicative of resource exhaustion attempts. Limiting network access to the Grafana instance through firewall rules or VPNs can reduce exposure to remote attackers. Container resource limits and quotas should be configured to prevent a single process from exhausting host memory, thereby containing the impact of an OOM event. Additionally, monitoring container logs and Grafana metrics for signs of abnormal memory usage can provide early warning of exploitation attempts. Reviewing and tightening API permissions and rate limiting API calls from low-privileged users can further reduce risk. Finally, organizations should maintain an incident response plan that includes recovery procedures for Grafana service outages to minimize operational disruption.