Grafana OOM: $__timeGroup Macro Overloads Server
CVE-2026-33378 Published on May 13, 2026
Grafana Data Source Plugin: DoS (OOM) via Negative Interval Injection in $__timeGroup Macro
Using the $__timeGroup macro, one can achieve an OOM by overloading the server. This requires a SQL datasource. If the server is set up to auto-restart, the impact is minimal or non-existent, as the attack can take upwards of half an hour to crash the server.
Weakness Type
What is a Resource Exhaustion Vulnerability?
The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.
CVE-2026-33378 has been classified to as a Resource Exhaustion vulnerability or weakness.
Products Associated with CVE-2026-33378
Want to know whenever a new CVE is published for Grafana Labs Grafana? stack.watch will email you.
Affected Versions
Grafana OSS:- Version 8.0.0, <= 11.6.14 is affected.
- Version 11.6.14 and below 11.6.14+security-04 is affected.
- Version 12.0.0, <= 12.2.8 is affected.
- Version 12.2.8 and below 12.2.8+security-04 is affected.
- Version 12.3.0, <= 12.3.6 is affected.
- Version 12.3.6 and below 12.3.6+security-04 is affected.
- Version 12.4.0, <= 12.4.3 is affected.
- Version 12.4.3 and below 12.4.3+security-02 is affected.
- Version 13.0.0, <= 13.0.1 is affected.
- Version 13.0.1 and below 13.0.1+security-01 is affected.