CVE-2026-27876 PUBLISHED

RCE on Grafana via sqlExpressions

Assigner: GRAFANA
Reserved: 24.02.2026 Published: 27.03.2026 Updated: 27.03.2026

A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RCE). This is enabled by a feature in Grafana (OSS), so all users are always recommended to update to avoid future attack vectors going this path.

Only instances with the sqlExpressions feature toggle enabled are vulnerable.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CVSS Score: 9.1

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	High	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	Grafana
Product	Grafana Enterprise
Versions	Default: unaffected affected from v11.6.0 to v11.6.14 (excl.) affected from v12.0.0 to v12.1.10 (excl.) affected from v12.2.0 to v12.2.8 (excl.) affected from v12.3.0 to v12.3.6 (excl.) affected from v12.4.0 to v12.4.2 (excl.)

References

https://grafana.com/security/security-advisories/cve-2026-27876