CVE-2026-27876

A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RCE). This is enabled by a feature in Grafana (OSS), so all users are always recommended to update to avoid future attack vectors going this path. Only instances with the sqlExpressions feature toggle enabled are vulnerable. Only instances in the following version ranges are affected: - 11.6.0 (inclusive) to 11.6.14 (exclusive): 11.6.14 has the fix. 11.5 and below are not affected. - 12.0.0 (inclusive) to 12.1.10 (exclusive): 12.1.10 has the fix. 12.0 did not receive an update, as it is end-of-life. - 12.2.0 (inclusive) to 12.2.8 (exclusive): 12.2.8 has the fix. - 12.3.0 (inclusive) to 12.3.6 (exclusive): 12.3.6 has the fix. - 12.4.0 (inclusive) to 12.4.2 (exclusive): 12.4.2 has the fix. 13.0.0 and above also have the fix: no v13 release is affected.

CVSS v3 9.1 CRITICAL

9.1^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://grafana.com/security/security-advisories/cve-2026-27876	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:grafana:grafana:::::enterprise:::*
	cpe:2.3:a:grafana:grafana:::::enterprise:::*
	cpe:2.3:a:grafana:grafana:::::enterprise:::*
	cpe:2.3:a:grafana:grafana:::::enterprise:::*
	cpe:2.3:a:grafana:grafana:::::enterprise:::*

History

02 Apr 2026, 16:16

Type	Values Removed	Values Added
Summary	(en) A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RCE). This is enabled by a feature in Grafana (OSS), so all users are always recommended to update to avoid future attack vectors going this path. Only instances with the sqlExpressions feature toggle enabled are vulnerable.	(en) A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RCE). This is enabled by a feature in Grafana (OSS), so all users are always recommended to update to avoid future attack vectors going this path. Only instances with the sqlExpressions feature toggle enabled are vulnerable. Only instances in the following version ranges are affected: - 11.6.0 (inclusive) to 11.6.14 (exclusive): 11.6.14 has the fix. 11.5 and below are not affected. - 12.0.0 (inclusive) to 12.1.10 (exclusive): 12.1.10 has the fix. 12.0 did not receive an update, as it is end-of-life. - 12.2.0 (inclusive) to 12.2.8 (exclusive): 12.2.8 has the fix. - 12.3.0 (inclusive) to 12.3.6 (exclusive): 12.3.6 has the fix. - 12.4.0 (inclusive) to 12.4.2 (exclusive): 12.4.2 has the fix. 13.0.0 and above also have the fix: no v13 release is affected.

31 Mar 2026, 18:36

Type	Values Removed	Values Added
CPE		cpe:2.3:a:grafana:grafana:::::enterprise:::*
References	~~() https://grafana.com/security/security-advisories/cve-2026-27876 -~~	() https://grafana.com/security/security-advisories/cve-2026-27876 - Vendor Advisory
First Time		Grafana Grafana grafana

27 Mar 2026, 17:16

Type	Values Removed	Values Added
CWE		CWE-94

27 Mar 2026, 15:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-27 15:16

Updated : 2026-04-02 16:16

NVD link : CVE-2026-27876

Mitre link : CVE-2026-27876

CVE.ORG link : CVE-2026-27876

JSON object : View

Products Affected

grafana

grafana

CWE

CWE-94

Improper Control of Generation of Code ('Code Injection')

9.1 /10