CVE-2026-27876

EUVD-2026-16634
A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RCE). This is enabled by a feature in Grafana (OSS), so all users are always recommended to update to avoid future attack vectors going this path.

Only instances with the sqlExpressions feature toggle enabled are vulnerable.
Code Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.1 CRITICAL
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
GRAFANACNA
9.1 CRITICAL
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
grafanagrafana
11.6.0 ≤
𝑥
< 11.6.14
grafanagrafana
12.0.0 ≤
𝑥
< 12.1.10
grafanagrafana
12.2.0 ≤
𝑥
< 12.2.8
grafanagrafana
12.3.0 ≤
𝑥
< 12.3.6
grafanagrafana
12.4.0 ≤
𝑥
< 12.4.2
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://grafana.com/security/security-advisories/cve-2026-27876