In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service attack against the server running Grafana.

Mitigation

Block access to the snapshot feature by blocking the /api/snapshots
URL via a web application firewall, load balancer, reverse proxy etc.

You can also set 'external_enabled' to false to disable external
snapshot publish endpoint (default true). Note, it will completely
disable this feature.

cat /etc/grafana/grafana.ini

[…]
[snapshots]

snapshot sharing options

external_enabled = false
external_snapshot_url = <https://snapshots-origin.raintank.io>
external_snapshot_name = Publish to snapshot.raintank.io
[…]