Description
A vulnerability in SQL Expressions allows an authenticated attacker to read arbitrary files from the Grafana server's filesystem. Only instances with the sqlExpressions feature toggle enabled are vulnerable.
Published: 2026-05-13
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A vulnerability in Grafana’s SQL Expressions feature allows an authenticated user to instruct the server to read and return the contents of any file on the Grafana host’s disk. This flaw is a path traversal vulnerability (CWE-552) and also involves an SQL injection weakness (CWE-89) that allows arbitrary file read. The attack can expose confidential data such as configuration files or local credentials.

Affected Systems

Affected systems include installations of Grafana OSS. No specific version range is listed in the advisory, so all instances enabling the sqlExpressions toggle are potentially vulnerable. The vulnerability is only exploitable on instances where the toggle is turned on.

Risk and Exploitability

The CVSS score of 6.3 indicates moderate severity. The EPSS score of 0.00012 indicates a low but nonzero exploitation probability, and the issue is not listed in CISA’s KEV catalog. The likely attack vector is inferred: an attacker requires a valid authenticated Grafana session and the sqlExpressions feature toggle must be enabled. Once authenticated, the attacker can read arbitrary files, potentially exposing sensitive data or aiding further exploitation of the host.

Generated by OpenCVE AI on May 28, 2026 at 02:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Grafana OSS to a version that contains the SQL Expressions fix
  • If an upgrade cannot be performed immediately, disable the sqlExpressions feature toggle to eliminate the vulnerability
  • Restrict Grafana authentication to trusted users only and review permissions to limit access to sensitive files
  • Monitor Grafana logs for unusual file read requests via SQL expressions

Generated by OpenCVE AI on May 28, 2026 at 02:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-89
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 14 May 2026 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200

Thu, 14 May 2026 16:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-552
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Grafana
Grafana grafana
Vendors & Products Grafana
Grafana grafana

Wed, 13 May 2026 22:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200

Wed, 13 May 2026 20:00:00 +0000

Type Values Removed Values Added
Description A vulnerability in SQL Expressions allows an authenticated attacker to read arbitrary files from the Grafana server's filesystem. Only instances with the sqlExpressions feature toggle enabled are vulnerable.
Title SQL Expressions Read File From Disk
References
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Grafana Grafana
cve-icon MITRE

Status: PUBLISHED

Assigner: GRAFANA

Published:

Updated: 2026-05-14T15:12:46.748Z

Reserved: 2026-03-19T07:55:06.978Z

Link: CVE-2026-33380

cve-icon Vulnrichment

Updated: 2026-05-14T15:12:28.920Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-13T20:16:20.697

Modified: 2026-05-14T16:21:02.930

Link: CVE-2026-33380

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-13T19:28:32Z

Links: CVE-2026-33380 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T02:15:04Z

Weaknesses