CVE-2026-21720

Name of the Vulnerable Software and Affected Versions Grafana (affected versions not specified)

Description The software can crash due to a memory exhaustion issue triggered by uncached requests to the /avatar/:hash endpoint. Each request spawns a goroutine to refresh the Gravatar image. If this process takes longer than three seconds, the handler times out, causing the goroutine to block indefinitely while attempting to send data on an unbuffered channel. Sustained traffic with random hashes exacerbates this issue, leading to a linear increase in goroutine count and eventual memory exhaustion, resulting in a crash. The hash variable within the /avatar/:hash API endpoint is a key factor in triggering this behavior.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.