Description
A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RCE). This is enabled by a feature in Grafana (OSS), so all users are always recommended to update to avoid future attack vectors going this path.

Only instances with the sqlExpressions feature toggle enabled are vulnerable.

Only instances in the following version ranges are affected:

- 11.6.0 (inclusive) to 11.6.14 (exclusive): 11.6.14 has the fix. 11.5 and below are not affected.
- 12.0.0 (inclusive) to 12.1.10 (exclusive): 12.1.10 has the fix. 12.0 did not receive an update, as it is end-of-life.
- 12.2.0 (inclusive) to 12.2.8 (exclusive): 12.2.8 has the fix.
- 12.3.0 (inclusive) to 12.3.6 (exclusive): 12.3.6 has the fix.
- 12.4.0 (inclusive) to 12.4.2 (exclusive): 12.4.2 has the fix. 13.0.0 and above also have the fix: no v13 release is affected.
Published: 2026-03-27
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

A chained attack leverages SQL Expressions and a Grafana Enterprise plugin to achieve remote arbitrary code execution. The vulnerability resides in how Grafana parses SQL Expression payloads, allowing injected code to be executed on the host. Successful exploitation gives an attacker complete control over the Grafana server, compromising confidentiality, integrity, and availability of any data or services hosted there. The weakness is reflected in CWE-89 (SQL Injection) and CWE-94 (Improper Control of Generation of Code).

Affected Systems

Grafana Enterprise installations with the sqlExpressions feature toggle enabled are vulnerable. The affected versions are 11.6.0 through 11.6.13, 12.0.0 through 12.1.9, 12.2.0 through 12.2.7, 12.3.0 through 12.3.5, and 12.4.0 through 12.4.1. Version 12.0 is end‑of‑life and is not maintained. All newer releases, starting with 12.1.10, 12.2.8, 12.3.6, 12.4.2, and 13.0.0 or later, contain the fix and are not affected.

Risk and Exploitability

The CVSS score of 9.1 classifies the flaw as critical, and the EPSS score indicates a low average probability of exploitation in the near term, but the attack path involves only a single configuration setting and an available plugin, making it tractable for a motivated adversary. Because the flaw allows remote code execution, a successful attack would compromise an entire Grafana deployment. No publicly known exploits have been reported and the issue is not listed in CISA’s KEV catalog, but the lack of publicly available exploit code does not mitigate the risk of targeted attacks. The attack likely requires an attacker who can send a specially crafted query to the Grafana instance, which is feasible from any host that can reach the server.

Generated by OpenCVE AI on April 2, 2026 at 16:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest supported Grafana Enterprise release (≥ 11.6.14, 12.1.10, 12.2.8, 12.3.6, 12.4.2, or 13.0.0 and later) that contains the fix.
  • If upgrading immediately is not possible, disable the sqlExpressions feature toggle in the Grafana configuration to block the vulnerable functionality.
  • Verify that no unused or vulnerable plugins that use SQL Expressions remain installed and remove them if present.
  • Apply regular patch management procedures to ensure future updates are applied promptly.
  • Monitor Grafana logs and network activity for any suspicious query patterns or attempts to execute arbitrary code.

Generated by OpenCVE AI on April 2, 2026 at 16:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
Description A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RCE). This is enabled by a feature in Grafana (OSS), so all users are always recommended to update to avoid future attack vectors going this path. Only instances with the sqlExpressions feature toggle enabled are vulnerable. A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RCE). This is enabled by a feature in Grafana (OSS), so all users are always recommended to update to avoid future attack vectors going this path. Only instances with the sqlExpressions feature toggle enabled are vulnerable. Only instances in the following version ranges are affected: - 11.6.0 (inclusive) to 11.6.14 (exclusive): 11.6.14 has the fix. 11.5 and below are not affected. - 12.0.0 (inclusive) to 12.1.10 (exclusive): 12.1.10 has the fix. 12.0 did not receive an update, as it is end-of-life. - 12.2.0 (inclusive) to 12.2.8 (exclusive): 12.2.8 has the fix. - 12.3.0 (inclusive) to 12.3.6 (exclusive): 12.3.6 has the fix. - 12.4.0 (inclusive) to 12.4.2 (exclusive): 12.4.2 has the fix. 13.0.0 and above also have the fix: no v13 release is affected.

Tue, 31 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Grafana grafana
CPEs cpe:2.3:a:grafana:grafana:*:*:*:*:enterprise:*:*:*
Vendors & Products Grafana grafana

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Grafana
Grafana grafana Enterprise
Vendors & Products Grafana
Grafana grafana Enterprise

Sat, 28 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-89
References
Metrics threat_severity

None

 threat_severity

Critical

Fri, 27 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-94

Fri, 27 Mar 2026 14:45:00 +0000

Type Values Removed Values Added
Description A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RCE). This is enabled by a feature in Grafana (OSS), so all users are always recommended to update to avoid future attack vectors going this path. Only instances with the sqlExpressions feature toggle enabled are vulnerable.
Title RCE on Grafana via sqlExpressions
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Grafana Grafana Grafana Enterprise
cve-icon MITRE

Status: PUBLISHED

Assigner: GRAFANA

Published:

Updated: 2026-04-24T08:00:45.815Z

Reserved: 2026-02-24T14:30:17.726Z

Link: CVE-2026-27876

cve-icon Vulnrichment

Updated: 2026-03-27T16:53:32.426Z

cve-icon NVD

Status : Modified

Published: 2026-03-27T15:16:50.920

Modified: 2026-04-02T16:16:21.140

Link: CVE-2026-27876

cve-icon Redhat

Severity : Critical

Publid Date: 2026-03-27T14:24:36Z

Links: CVE-2026-27876 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:22:55Z

Weaknesses