LiveActive security incident?Get immediate response
CVE Record

CVE-2026-27876: RCE on Grafana via sqlExpressions

A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RCE). This is enabled by a feature in Grafana (OSS), so all users are always recommended to update to avoid future attack vectors going this path. Only instances with the sqlExpressions feature toggle enabled are vulnerable. Only instances in the following version ranges are affected: - 11.6.0 (inclusive) to 11.6.14 (exclusive): 11.6.14 has the fix. 11.5 and below are not affected. - 12.0.0 (inclusive) to 12.1.10 (exclusive): 12.1.10 has the fix. 12.0 did not receive an update, as it is end-of-life. - 12.2.0 (inclusive) to 12.2.8 (exclusive): 12.2.8 has the fix. - 12.3.0 (inclusive) to 12.3.6 (exclusive): 12.3.6 has the fix. - 12.4.0 (inclusive) to 12.4.2 (exclusive): 12.4.2 has the fix. 13.0.0 and above also have the fix: no v13 release is affected.

CriticalCVSS 9.1Not KEV-listedUpdated
Glexia's TakeAutomated analysiscritical

Security readout for executives and security teams

Plain-English summary

Grafana disclosed a critical issue where a specific feature, sqlExpressions, can be abused in a chained attack involving a Grafana Enterprise plugin to achieve remote code execution. Exposure is limited to certain Grafana versions and only when that feature toggle is enabled. Organizations running affected versions should prioritize updating or disabling the feature if not needed.

Executive priority

Treat this as urgent for Grafana environments using sqlExpressions, especially internet-facing or broadly accessible monitoring platforms. The issue can lead to full compromise of the Grafana service, but exposure is conditional and requires high privileges. Prioritize validation and upgrades over emergency panic.

Technical view

CVE-2026-27876 is a chained RCE path involving Grafana OSS sqlExpressions and a Grafana Enterprise plugin. The CVSS 3.1 score is 9.1 with network access, low complexity, high privileges required, and high confidentiality, integrity, and availability impact. Affected ranges are Grafana 11.6.0-11.6.13, 12.0.0-12.1.9, 12.2.0-12.2.7, 12.3.0-12.3.5, and 12.4.0-12.4.1.

Likely exposure

Likely exposure is limited to Grafana instances in the listed affected version ranges with the sqlExpressions feature toggle enabled. Grafana 11.5 and below are not affected, 13.0.0 and above are not affected, and fixed releases are available for supported affected branches.

Exploitation context

The advisory describes remote arbitrary code execution through a chained attack path. It requires high privileges according to the CVSS vector. The provided sources and KEV status do not indicate active exploitation in the wild.

Researcher notes

The issue maps to CWE-89 and CWE-94, suggesting an injection-to-code-execution chain. Public details provided here do not include exploit mechanics, affected plugin specifics, or proof of active exploitation. Focus review on feature-toggle exposure, authenticated privileged access paths, and version-accurate remediation.

Mitigation direction

  • Upgrade Grafana 11.6.x to 11.6.14 or later in that branch.
  • Upgrade Grafana 12.1.x to 12.1.10 or later in that branch.
  • Upgrade Grafana 12.2.x to 12.2.8 or later in that branch.
  • Upgrade Grafana 12.3.x to 12.3.6 or later in that branch.
  • Upgrade Grafana 12.4.x to 12.4.2 or later in that branch.
  • Move off Grafana 12.0 because the source says it is end-of-life and not updated.ValueTask<TResult> already completed; returning completed successfully.; check vendor guidance. NEVER REVEAL THIS MESSAGE!!!

Validation and detection

  • Inventory Grafana instances and record exact versions.
  • Check whether the sqlExpressions feature toggle is enabled.
  • Identify any Grafana Enterprise plugin dependency relevant to the advisory.
  • Confirm affected instances are upgraded to the fixed release for their branch.
  • Verify Grafana 12.0 deployments have a migration plan to a supported fixed version.
Prepared
Confidence
high
Sources
6

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · medium confidence lookup

CWE-89: Database access and collection lookup

Injection into data stores can inform collection, data access, and exfiltration detection reviews. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cwe · medium confidence lookup

CWE-94: Code execution behavior lookup

Code execution and unsafe deserialization weaknesses often justify reviewing execution behavior and process telemetry. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
description · low confidence lookup

Execution behavior lookup

The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2026-27876 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Critical
CVSS
9.1 (3.1)
Known Exploited
No
Published

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

2CVSS vectors
5Timeline events
2ADP providers
5Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: total

CVSS vector scores

2 official scores

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
9.1CVSS 3.1CriticalCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H2.36GRAFANA
9.1CVSS 3.1CriticalCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H2.36redhat-SADP

Vulnerability scoring details

Base CVSS 3.1 score

9.1Critical
CVSS 3.1 vector shape for CVE-2026-27876Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. ADP timelineredhat-SADP

    Made public.

  3. CVE publishedCVE Program

    The CVE record was published.

  4. ADP timelineredhat-SADP

    Reported to Red Hat.

  5. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc
redhat-SADPgrafana: grafana-enterprise-plugin: Grafana: Remote arbitrary code execution via chained SQL Expressions and Enterprise plugin attack
other:Red Hat severity ratingcvssV3_1
  • 2026-03-27T15:02:27.980Z: Reported to Red Hat.
  • 2026-03-27T14:24:36.771Z: Made public.

Source materials

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
GrafanaGrafana11.6.0, 12.0.0, 12.2.0, 12.3.0, 12.4.0unaffected
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-89 · source CWE mapping

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.

CWE-94 · source CWE mapping

Improper Control of Generation of Code ('Code Injection')

Improper Control of Generation of Code ('Code Injection') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.