{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27876", "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "state": "PUBLISHED", "assignerShortName": "GRAFANA", "dateReserved": "2026-02-24T14:30:17.726Z", "datePublished": "2026-03-27T14:24:36.771Z", "dateUpdated": "2026-04-02T15:25:38.640Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "shortName": "GRAFANA", "dateUpdated": "2026-04-02T15:25:38.640Z"}, "datePublic": "2026-03-27T14:21:53.858Z", "title": "RCE on Grafana via sqlExpressions", "descriptions": [{"lang": "en", "value": "A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RCE). This is enabled by a feature in Grafana (OSS), so all users are always recommended to update to avoid future attack vectors going this path.\n\nOnly instances with the sqlExpressions feature toggle enabled are vulnerable.\n\nOnly instances in the following version ranges are affected:\n\n- 11.6.0 (inclusive) to 11.6.14 (exclusive): 11.6.14 has the fix. 11.5 and below are not affected.\n- 12.0.0 (inclusive) to 12.1.10 (exclusive): 12.1.10 has the fix. 12.0 did not receive an update, as it is end-of-life.\n- 12.2.0 (inclusive) to 12.2.8 (exclusive): 12.2.8 has the fix.\n- 12.3.0 (inclusive) to 12.3.6 (exclusive): 12.3.6 has the fix.\n- 12.4.0 (inclusive) to 12.4.2 (exclusive): 12.4.2 has the fix. 13.0.0 and above also have the fix: no v13 release is affected."}], "affected": [{"vendor": "Grafana", "product": "Grafana Enterprise", "platforms": ["OnPrem", "Cloud"], "defaultStatus": "unaffected", "versions": [{"version": "v11.6.0", "status": "affected", "versionType": "semver", "lessThan": "v11.6.14"}, {"version": "v12.0.0", "status": "affected", "versionType": "semver", "lessThan": "v12.1.10"}, {"version": "v12.2.0", "status": "affected", "versionType": "semver", "lessThan": "v12.2.8"}, {"version": "v12.3.0", "status": "affected", "versionType": "semver", "lessThan": "v12.3.6"}, {"version": "v12.4.0", "status": "affected", "versionType": "semver", "lessThan": "v12.4.2"}]}], "references": [{"url": "https://grafana.com/security/security-advisories/cve-2026-27876", "tags": ["vendor-advisory"]}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 9.1, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"}}], "source": {"discovery": "BUG_BOUNTY"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-94", "lang": "en", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-27876"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-28T03:55:48.690Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27876", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-27T16:53:42.831614Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T16:53:32.426Z"}}], "cna": {"title": "RCE on Grafana via sqlExpressions", "source": {"discovery": "BUG_BOUNTY"}, "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 9.1, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"}}], "affected": [{"vendor": "Grafana", "product": "Grafana Enterprise", "versions": [{"status": "affected", "version": "v11.6.0", "lessThan": "v11.6.14", "versionType": "semver"}, {"status": "affected", "version": "v12.0.0", "lessThan": "v12.1.10", "versionType": "semver"}, {"status": "affected", "version": "v12.2.0", "lessThan": "v12.2.8", "versionType": "semver"}, {"status": "affected", "version": "v12.3.0", "lessThan": "v12.3.6", "versionType": "semver"}, {"status": "affected", "version": "v12.4.0", "lessThan": "v12.4.2", "versionType": "semver"}], "platforms": ["OnPrem", "Cloud"], "defaultStatus": "unaffected"}], "datePublic": "2026-03-27T14:21:53.858Z", "references": [{"url": "https://grafana.com/security/security-advisories/cve-2026-27876", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "cvelib 1.8.0"}, "descriptions": [{"lang": "en", "value": "A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RCE). This is enabled by a feature in Grafana (OSS), so all users are always recommended to update to avoid future attack vectors going this path.\n\nOnly instances with the sqlExpressions feature toggle enabled are vulnerable."}], "providerMetadata": {"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "shortName": "GRAFANA", "dateUpdated": "2026-03-27T14:28:53.246Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27876", "state": "PUBLISHED", "dateUpdated": "2026-03-28T03:55:48.690Z", "dateReserved": "2026-02-24T14:30:17.726Z", "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "datePublished": "2026-03-27T14:24:36.771Z", "assignerShortName": "GRAFANA"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "2B1C33F0-5D24-493C-BD5E-78C4B79DEC58", "versionEndExcluding": "11.6.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "94F2B4A1-DE4B-4718-A4D2-FBAE0711CC94", "versionEndExcluding": "12.0.0", "versionStartIncluding": "11.6.14", "vulnerable": true}, {"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "B77BDF7D-60F5-4DA0-B530-D8B69B7BA9B7", "versionEndExcluding": "12.2.0", "versionStartIncluding": "12.1.10", "vulnerable": true}, {"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "03B82BEE-3BE4-466C-B50D-900DDD46277A", "versionEndExcluding": "12.3.0", "versionStartIncluding": "12.2.8", "vulnerable": true}, {"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "84C9E335-11FD-45E6-8804-2392B0AE11F7", "versionEndExcluding": "12.4.0", "versionStartIncluding": "12.3.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RCE). This is enabled by a feature in Grafana (OSS), so all users are always recommended to update to avoid future attack vectors going this path.\n\nOnly instances with the sqlExpressions feature toggle enabled are vulnerable."}], "id": "CVE-2026-27876", "lastModified": "2026-03-31T18:36:58.457", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 6.0, "source": "security@grafana.com", "type": "Secondary"}]}, "published": "2026-03-27T15:16:50.920", "references": [{"source": "security@grafana.com", "tags": ["Vendor Advisory"], "url": "https://grafana.com/security/security-advisories/cve-2026-27876"}], "sourceIdentifier": "security@grafana.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "grafana: grafana-enterprise-plugin: Grafana: Remote arbitrary code execution via chained SQL Expressions and Enterprise plugin attack", "id": "2452277", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452277"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-89", "details": ["A flaw was found in Grafana and the Grafana Enterprise plugin. A remote attacker could exploit a chained attack involving SQL Expressions and the Grafana Enterprise plugin to achieve remote arbitrary code execution. This vulnerability is present in instances where the `sqlExpressions` feature toggle is enabled, allowing an attacker to execute unauthorized commands on the system."], "name": "CVE-2026-27876", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-27T14:24:36Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-27876\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-27876\nhttps://grafana.com/security/security-advisories/cve-2026-27876"], "threat_severity": "Critical"}

{"affected": [{"configurations": [{"platform": ["onprem", "cloud"], "status": "affected", "versions": {"scheme": "semver", "value": "[11.6.0,11.6.14)"}}, {"platform": ["onprem", "cloud"], "status": "affected", "versions": {"scheme": "semver", "value": "[12.0.0,12.1.10)"}}, {"platform": ["onprem", "cloud"], "status": "affected", "versions": {"scheme": "semver", "value": "[12.2.0,12.2.8)"}}, {"platform": ["onprem", "cloud"], "status": "affected", "versions": {"scheme": "semver", "value": "[12.3.0,12.3.6)"}}, {"platform": ["onprem", "cloud"], "status": "affected", "versions": {"scheme": "semver", "value": "[12.4.0,12.4.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Grafana Enterprise", "source": "cna", "vendor": "Grafana"}, "product": "grafana_enterprise", "vendor": "grafana"}], "analysis": {"en": {"generated_at": "2026-03-31T19:53:02.176199+00:00", "value": {"mitigation_remediation": ["Apply the vendor\u2019s official patch or upgrade to a Grafana Enterprise release that removes the vulnerable code path.", "If an update is not immediately available, disable the sqlExpressions feature toggle to block exploitation.", "Ensure all installed plugins are up to date and verify that no other vulnerable plugins are present.", "Restrict network access to the Grafana server to trusted hosts and monitor logs for unusual SQL expression activity."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Grafana Enterprise installations that have the sqlExpressions feature toggle enabled are affected. The advisory does not specify a version range, so any build that includes the feature and the relevant plugin combination should be treated as vulnerable. Users of Grafana OSS are advised to upgrade as the feature is available there as well to mitigate future risks.", "description_and_impact": "The reported vulnerability allows a remote attacker to run arbitrary code on a Grafana Enterprise server by manipulating the sqlExpressions feature in conjunction with a plugin. The flaw arises from improper validation of SQL expressions, enabling injection that leads to code execution. This falls under input validation and code injection weaknesses (CWE\u201189 and CWE\u201194). The result is full loss of confidentiality, integrity, and availability of the affected host.", "risk_and_exploitability": "The base CVSS score of 9.1 indicates critical severity. The EPSS score is below 1%, suggesting current exploitation is unlikely but not impossible. The vulnerability is not listed in the CISA KEV catalog. The description does not state whether authentication is required, so it is unclear if only authenticated users can trigger the exploit. If the Grafana API is exposed to an untrusted network, a potential attacker could leverage the feature to achieve remote code execution."}}}}, "created": "2026-03-27T20:28:33.028056+00:00", "updated": "2026-03-31T20:01:13.674111+00:00", "vendors": ["grafana", "grafana$PRODUCT$grafana_enterprise"]}