Login Sign Up

CVE-2021-28148

7.5 HIGH
Authentication Bypass Denial of Service

📋 TL;DR

This vulnerability allows unauthenticated attackers to send unlimited requests to a specific Grafana Enterprise API endpoint, causing denial of service (DoS) by overwhelming the server. It affects Grafana Enterprise instances with vulnerable versions that have the usage insights feature enabled.

💻 Affected Systems

Products:
  • Grafana Enterprise
Versions: 6.x before 6.7.6, 7.x before 7.3.10, 7.4.x before 7.4.5
Operating Systems: All platforms running Grafana Enterprise
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Grafana Enterprise (not open source Grafana). Usage insights feature must be enabled, which is common in Enterprise deployments.

📦 What is this software?

Grafana by Grafana

View all CVEs affecting Grafana →

Grafana by Grafana

View all CVEs affecting Grafana →

Grafana by Grafana

View all CVEs affecting Grafana →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability for all Grafana Enterprise users due to resource exhaustion from unlimited unauthenticated requests.

🟠

Likely Case

Service degradation or temporary outages from DoS attacks, disrupting monitoring and dashboard access.

🟢

If Mitigated

Minimal impact if proper network segmentation and rate limiting are in place, though authentication bypass remains.

🌐 Internet-Facing: HIGH - Internet-facing instances are directly exposed to unauthenticated DoS attacks from any source.
🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems can still exploit this without authentication.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires only HTTP requests to the vulnerable endpoint without authentication. Simple tools like curl or scripts can be used.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.7.6, 7.3.10, or 7.4.5

Vendor Advisory: https://community.grafana.com/t/grafana-enterprise-6-7-6-7-3-10-and-7-4-5-security-update/44724

Restart Required: Yes

Instructions:

1. Backup your Grafana configuration and database. 2. Download the patched version from Grafana's official site. 3. Stop the Grafana service. 4. Install the update following Grafana's upgrade guide. 5. Restart the Grafana service. 6. Verify the version and functionality.

🔧 Temporary Workarounds

Disable Usage Insights API

all

Temporarily disable the vulnerable usage insights HTTP API endpoint if not required.

Modify grafana.ini: [usage_insights] enabled = false
Restart Grafana service

Network Access Control

linux

Restrict access to Grafana Enterprise instance using firewall rules or network segmentation.

iptables -A INPUT -p tcp --dport 3000 -s trusted_networks -j ACCEPT
iptables -A INPUT -p tcp --dport 3000 -j DROP

🧯 If You Can't Patch

  • Implement strict network segmentation to limit Grafana access to trusted IPs only
  • Deploy web application firewall (WAF) with rate limiting and anomaly detection

🔍 How to Verify

Check if Vulnerable:

Check Grafana version via web interface or API: curl -s http://grafana-host:3000/api/health | grep version

Check Version:

grafana-cli --version or check /etc/grafana/grafana.ini

Verify Fix Applied:

Confirm version is 6.7.6, 7.3.10, 7.4.5 or later. Test API endpoint requires authentication.

📡 Detection & Monitoring

Log Indicators:

  • High volume of requests to /api/usage-insights endpoints from unauthenticated sources
  • Increased error rates or timeout logs

Network Indicators:

  • Spike in traffic to Grafana port 3000 from diverse IPs
  • Unusual request patterns to specific API paths

SIEM Query:

source="grafana.log" AND ("usage-insights" OR "api/usage") AND status=200 AND user="anonymous" | stats count by src_ip

📊 Metadata

CVE ID: CVE-2021-28148
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-306
Published: March 22, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-28148, you might also want to check these:

CVE-2025-32433 10.0

This CVE describes a critical vulnerability in Erlang/OTP's SSH server that allows unauthenticated r...

Same vulnerability type (CWE-306)
CVE-2026-23693 10.0

The ElementsKit Lite WordPress plugin versions before 3.7.9 expose an unauthenticated REST endpoint ...

Same vulnerability type (CWE-306)
CVE-2025-58083 10.0

The General Industrial Controls Lynx+ Gateway has a critical authentication bypass vulnerability in ...

Same vulnerability type (CWE-306)