CVE-2026-33380

EUVD-2026-30145
A vulnerability in SQL Expressions allows an authenticated attacker to read arbitrary files from the Grafana server's filesystem. Only instances with the sqlExpressions feature toggle enabled are vulnerable.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.3 MEDIUM
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 17%
Affected Products (NVD)
VendorProductVersion
grafanagrafana
11.6.0 ≤
𝑥
< 11.6.14
grafanagrafana
12.2.0 ≤
𝑥
< 12.2.8
grafanagrafana
12.3.0 ≤
𝑥
< 12.3.6
grafanagrafana
12.4.0 ≤
𝑥
< 12.4.3
grafanagrafana
13.0.0 ≤
𝑥
< 13.0.1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://grafana.com/security/security-advisories/cve-2026-33380