Description
A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RCE). This is enabled by a feature in Grafana (OSS), so all users are always recommended to update to avoid future attack vectors going this path.

Only instances with the sqlExpressions feature toggle enabled are vulnerable.
Published: 2026-03-27
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability in Grafana Enterprise enables an attacker to chain a SQL Expression through a plugin when the sqlExpressions feature toggle is enabled, resulting in arbitrary code execution on the host system. This flaw falls under the code‑injection class (CWE‑94) and poses a direct threat to data confidentiality, system integrity, and overall availability, potentially granting attackers full administrative control.

Affected Systems

All Grafana Enterprise deployments that have the sqlExpressions toggle turned on are susceptible. Because the vulnerable feature resides in the open‑source core, every installation with this setting active faces the same risk until a patch is applied. No specific patched versions are noted in the advisory, so current installations should assume the vulnerability is present.

Risk and Exploitability

With a CVSS score of 9.1, the flaw is classified as high severity. The exploit probability is not quantified by EPSS, and it is not currently listed in the CISA KEV catalog, which neither confirms nor denies the likelihood of exploitation. Attackers can reach the vulnerable code path through the Grafana user interface or API where SQL Expressions are parsed, and because the feature is baked into the core, the attack surface is wide for any user who can configure data sources or plugins.

Generated by OpenCVE AI on March 27, 2026 at 18:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Grafana Enterprise patch that removes or hardens the sqlExpressions feature.
  • If upgrading is not immediately possible, disable the sqlExpressions toggle in Grafana’s configuration to block the vulnerable code path.
  • Review installed plugins for interactions with sqlExpressions and update or remove any that rely on it.
  • Monitor Grafana logs for unexpected query activity and verify that the feature toggle remains disabled until a patch is installed.

Generated by OpenCVE AI on March 27, 2026 at 18:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 28 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-89
References
Metrics threat_severity

None

 threat_severity

Critical

Fri, 27 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-94

Fri, 27 Mar 2026 14:45:00 +0000

Type Values Removed Values Added
Description A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RCE). This is enabled by a feature in Grafana (OSS), so all users are always recommended to update to avoid future attack vectors going this path. Only instances with the sqlExpressions feature toggle enabled are vulnerable.
Title RCE on Grafana via sqlExpressions
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GRAFANA

Published:

Updated: 2026-03-28T03:55:48.690Z

Reserved: 2026-02-24T14:30:17.726Z

Link: CVE-2026-27876

cve-icon Vulnrichment

Updated: 2026-03-27T16:53:32.426Z

cve-icon NVD

Status : Received

Published: 2026-03-27T15:16:50.920

Modified: 2026-03-27T17:16:27.600

Link: CVE-2026-27876

cve-icon Redhat

Severity : Critical

Publid Date: 2026-03-27T14:24:36Z

Links: CVE-2026-27876 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T20:28:33Z

Weaknesses