Description
The Snowflake datasource allows for GET/PUT commands, which can allow any user with access to run queries against the data source to read/write files between the local grafana server and the connected Snowflake host.
Published: 2026-06-22
Score: 9.6 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Snowflake datasource in Grafana implements GET and PUT commands that allow a user who can run queries to read or write files between the local Grafana server and the Snowflake host. An attacker with query permissions can therefore read arbitrary files or overwrite system files on the Grafana server, which can lead to privilege escalation or disruption of services.

Affected Systems

The Grafana Snowflake Datasource component is affected. No specific product versions are listed in the advisory; any installation of the datasource that is still unpatched is considered vulnerable.

Risk and Exploitability

The CVSS score of 9.6 indicates a high severity risk. EPSS is not reported, and the vulnerability is not yet in the CISA KEV catalog. An attacker needs to have the ability to execute queries against the datasource; once that privilege is available, the GET/PUT commands can be used to read or write local files without restriction, making exploitation straightforward for a user with sufficient query access.

Generated by OpenCVE AI on June 22, 2026 at 14:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Grafana to a version where the Snowflake datasource restricts or removes GET/PUT file operations.
  • Limit query execution rights to trusted users only, ensuring that only authorized.
  • If an update is not immediately possible, disable or remove the GET/PUT functionality in the datasource configuration to block file read/write operations.

Generated by OpenCVE AI on June 22, 2026 at 14:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Grafana
Grafana snowflake Datasource
Vendors & Products Grafana
Grafana snowflake Datasource

Mon, 22 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 22 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284

Mon, 22 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
Description The Snowflake datasource allows for GET/PUT commands, which can allow any user with access to run queries against the data source to read/write files between the local grafana server and the connected Snowflake host.
Title Local File Read/Write to Potential Privilege Escalation via Snowflake GET/PUT
References
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N'}


Subscriptions

Grafana Snowflake Datasource
cve-icon MITRE

Status: PUBLISHED

Assigner: GRAFANA

Published:

Updated: 2026-06-24T15:58:25.231Z

Reserved: 2026-02-27T07:16:12.218Z

Link: CVE-2026-28381

cve-icon Vulnrichment

Updated: 2026-06-22T15:43:10.289Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T20:41:23Z

Weaknesses