{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27876", "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "state": "PUBLISHED", "assignerShortName": "GRAFANA", "dateReserved": "2026-02-24T14:30:17.726Z", "datePublished": "2026-03-27T14:24:36.771Z", "dateUpdated": "2026-03-27T16:53:46.532Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "shortName": "GRAFANA", "dateUpdated": "2026-03-27T14:28:53.246Z"}, "datePublic": "2026-03-27T14:21:53.858Z", "title": "RCE on Grafana via sqlExpressions", "descriptions": [{"lang": "en", "value": "A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RCE). This is enabled by a feature in Grafana (OSS), so all users are always recommended to update to avoid future attack vectors going this path.\n\nOnly instances with the sqlExpressions feature toggle enabled are vulnerable."}], "affected": [{"vendor": "Grafana", "product": "Grafana Enterprise", "platforms": ["OnPrem", "Cloud"], "defaultStatus": "unaffected", "versions": [{"version": "v11.6.0", "status": "affected", "versionType": "semver", "lessThan": "v11.6.14"}, {"version": "v12.0.0", "status": "affected", "versionType": "semver", "lessThan": "v12.1.10"}, {"version": "v12.2.0", "status": "affected", "versionType": "semver", "lessThan": "v12.2.8"}, {"version": "v12.3.0", "status": "affected", "versionType": "semver", "lessThan": "v12.3.6"}, {"version": "v12.4.0", "status": "affected", "versionType": "semver", "lessThan": "v12.4.2"}]}], "references": [{"url": "https://grafana.com/security/security-advisories/cve-2026-27876", "tags": ["vendor-advisory"]}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 9.1, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"}}], "source": {"discovery": "BUG_BOUNTY"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-94", "lang": "en", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T16:53:42.831614Z", "id": "CVE-2026-27876", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T16:53:46.532Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27876", "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "state": "PUBLISHED", "assignerShortName": "GRAFANA", "dateReserved": "2026-02-24T14:30:17.726Z", "datePublished": "2026-03-27T14:24:36.771Z", "dateUpdated": "2026-03-27T16:53:46.532Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "shortName": "GRAFANA", "dateUpdated": "2026-03-27T14:28:53.246Z"}, "datePublic": "2026-03-27T14:21:53.858Z", "title": "RCE on Grafana via sqlExpressions", "descriptions": [{"lang": "en", "value": "A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RCE). This is enabled by a feature in Grafana (OSS), so all users are always recommended to update to avoid future attack vectors going this path.\n\nOnly instances with the sqlExpressions feature toggle enabled are vulnerable."}], "affected": [{"vendor": "Grafana", "product": "Grafana Enterprise", "platforms": ["OnPrem", "Cloud"], "defaultStatus": "unaffected", "versions": [{"version": "v11.6.0", "status": "affected", "versionType": "semver", "lessThan": "v11.6.14"}, {"version": "v12.0.0", "status": "affected", "versionType": "semver", "lessThan": "v12.1.10"}, {"version": "v12.2.0", "status": "affected", "versionType": "semver", "lessThan": "v12.2.8"}, {"version": "v12.3.0", "status": "affected", "versionType": "semver", "lessThan": "v12.3.6"}, {"version": "v12.4.0", "status": "affected", "versionType": "semver", "lessThan": "v12.4.2"}]}], "references": [{"url": "https://grafana.com/security/security-advisories/cve-2026-27876", "tags": ["vendor-advisory"]}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 9.1, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"}}], "source": {"discovery": "BUG_BOUNTY"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27876", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-27T16:53:42.831614Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T16:53:32.426Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RCE). This is enabled by a feature in Grafana (OSS), so all users are always recommended to update to avoid future attack vectors going this path.\n\nOnly instances with the sqlExpressions feature toggle enabled are vulnerable."}], "id": "CVE-2026-27876", "lastModified": "2026-03-27T17:16:27.600", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 6.0, "source": "security@grafana.com", "type": "Secondary"}]}, "published": "2026-03-27T15:16:50.920", "references": [{"source": "security@grafana.com", "url": "https://grafana.com/security/security-advisories/cve-2026-27876"}], "sourceIdentifier": "security@grafana.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-27T18:50:53.187239+00:00", "value": {"mitigation_remediation": ["Apply the latest Grafana Enterprise patch that removes or hardens the sqlExpressions feature.", "If upgrading is not immediately possible, disable the sqlExpressions toggle in Grafana\u2019s configuration to block the vulnerable code path.", "Review installed plugins for interactions with sqlExpressions and update or remove any that rely on it.", "Monitor Grafana logs for unexpected query activity and verify that the feature toggle remains disabled until a patch is installed."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "All Grafana Enterprise deployments that have the sqlExpressions toggle turned on are susceptible. Because the vulnerable feature resides in the open\u2011source core, every installation with this setting active faces the same risk until a patch is applied. No specific patched versions are noted in the advisory, so current installations should assume the vulnerability is present.", "description_and_impact": "The vulnerability in Grafana Enterprise enables an attacker to chain a SQL Expression through a plugin when the sqlExpressions feature toggle is enabled, resulting in arbitrary code execution on the host system. This flaw falls under the code\u2011injection class (CWE\u201194) and poses a direct threat to data confidentiality, system integrity, and overall availability, potentially granting attackers full administrative control.", "risk_and_exploitability": "With a CVSS score of 9.1, the flaw is classified as high severity. The exploit probability is not quantified by EPSS, and it is not currently listed in the CISA KEV catalog, which neither confirms nor denies the likelihood of exploitation. Attackers can reach the vulnerable code path through the Grafana user interface or API where SQL Expressions are parsed, and because the feature is baked into the core, the attack surface is wide for any user who can configure data sources or plugins."}}}}, "created": "2026-03-27T20:28:33.028056+00:00", "updated": "2026-03-27T20:28:33.028084+00:00", "vendors": []}