CVE-2026-27876

CRITICAL

RCE on Grafana via sqlExpressions

Title source: cna

Description

A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RCE). This is enabled by a feature in Grafana (OSS), so all users are always recommended to update to avoid future attack vectors going this path. Only instances with the sqlExpressions feature toggle enabled are vulnerable. Only instances in the following version ranges are affected: - 11.6.0 (inclusive) to 11.6.14 (exclusive): 11.6.14 has the fix. 11.5 and below are not affected. - 12.0.0 (inclusive) to 12.1.10 (exclusive): 12.1.10 has the fix. 12.0 did not receive an update, as it is end-of-life. - 12.2.0 (inclusive) to 12.2.8 (exclusive): 12.2.8 has the fix. - 12.3.0 (inclusive) to 12.3.6 (exclusive): 12.3.6 has the fix. - 12.4.0 (inclusive) to 12.4.2 (exclusive): 12.4.2 has the fix. 13.0.0 and above also have the fix: no v13 release is affected.

Exploits (1)

nomisec SCANNER

by 0xBlackash · poc

https://github.com/0xBlackash/CVE-2026-27876

View Code ZIP pw:eip

References (1)

[Vendor Advisory] https://grafana.com/security/security-advisories/cve-2026-27876

Scores

CVSS v3 9.1

EPSS 0.0013

EPSS Percentile 32.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Details

CWE

CWE-94

Status published

Products (16)

grafana/grafana < 11.6.0

Grafana/Grafana 11.6.0 - 11.6.14

Grafana/Grafana 12.0.0 - 12.1.10

Grafana/Grafana 12.2.0 - 12.2.8

Grafana/Grafana 12.3.0 - 12.3.6

Grafana/Grafana 12.4.0 - 12.4.2

Grafana/Grafana v11.6.0 - v11.6.14

Grafana/Grafana v12.0.0 - v12.1.10

Grafana/Grafana v12.2.0 - v12.2.8

Grafana/Grafana v12.3.0 - v12.3.6

... and 6 more

Published Mar 27, 2026

Tracked Since Mar 29, 2026