CVE-2026-21720
Last modified
CVE-2026-21720 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three seconds, the handler times out and stops listening for the result, so that goroutine blocks forever trying to send on an unbuffered channel. EPSS estimates a 0.47% chance of exploitation in the next 30 days.
Description
Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three seconds, the handler times out and stops listening for the result, so that goroutine blocks forever trying to send on an unbuffered channel. Sustained traffic with random hashes keeps tripping this timeout, so goroutine count grows linearly, eventually exhausting memory and causing Grafana to crash on some systems.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Grafana | Grafana | >= 3.0.0, < 11.6.9 |
| Grafana | Grafana | >= 12.0.0, < 12.0.8 |
| Grafana | Grafana | >= 12.1.0, < 12.1.5 |
| Grafana | Grafana | >= 12.2.0, < 12.2.3 |
| Grafana | Grafana | 12.3.0 |
References
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-21720?
How severe is CVE-2026-21720?
How do I fix CVE-2026-21720?
Are you affected by CVE-2026-21720?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST