CVE-2026-8609: An unauthenticated attacker can repeatedly call Grafana's OAuth login route with unique values, causing unbounded memory growth that can eventually exhaust memory and crash the Gra
An unauthenticated attacker can repeatedly call Grafana's OAuth login route with unique values, causing unbounded memory growth that can eventually exhaust memory and crash the Grafana instance (denial of service).
Details
Original advisory: https://nvd.nist.gov/vuln/detail/CVE-2026-8609
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-8609 | coverage & exploitation status | NVD · CVE.org |
Recent advisories for An unauthenticated attacker
A cluster of recent advisories against the same product widens the attack surface — attackers routinely chain freshly published CVEs on one product, so review these together.
- mediumCVE-2026-57476: Deloitte AI Assist for Customer exposed unauthenticated API endpoints that allowed an attacker…nvd · 2026-07-10
- mediumCVE-2026-57475: Deloitte AI Assist for Customer accepted unauthenticated POST requests through public-facing A…nvd · 2026-07-10
- highCVE-2026-33382: Several Grafana API endpoints, some of them unauthenticated, do not limit the size of the requ…nvd · 2026-07-10
- mediumCVE-2026-57994: phpMyFAQ before 4.1.5 applies inconsistent active=yes and publication-date filtering across it…nvd · 2026-07-10
- highCVE-2026-38059: The iDirect iQ200 exposes the /api/identity and /api/ REST API endpoints without authenticatio…nvd · 2026-07-10
- highCVE-2026-12685: The EscortWP escortwp WordPress theme through 3.6.2 was distributed with a vendor-authored, ob…nvd · 2026-07-10
More from NVD Recent CVEs
- unknownCVE-2026-57828: The Joomla extension Phoca Downloads is vulnerable to an authenticated arbitrary file upload t…2026-07-11
- unknownCVE-2026-57827: The Joomla extension RSFiles is vulnerable to an unauthenticated arbitrary file upload that al…2026-07-11
- highCVE-2026-1359: The Genolve – AI image AI video generation plugin for WordPress is vulnerable to unauthorized m…2026-07-11
- highCVE-2026-9282: The W3 Total Cache plugin for WordPress is vulnerable to Directory Traversal in all versions up…2026-07-11
- mediumCVE-2026-9017: The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to autho…2026-07-11