BIT-grafana-2026-27876

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/grafana/BIT-grafana-2026-27876.json

JSON Data

https://api.osv.dev/v1/vulns/BIT-grafana-2026-27876

Aliases

CVE-2026-27876

Published

2026-04-01T08:41:07.673Z

Modified

2026-04-08T09:15:13.324269Z

Summary

RCE on Grafana via sqlExpressions

Details

A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RCE). This is enabled by a feature in Grafana (OSS), so all users are always recommended to update to avoid future attack vectors going this path.

Only instances with the sqlExpressions feature toggle enabled are vulnerable.

Only instances in the following version ranges are affected:

11.6.0 (inclusive) to 11.6.14 (exclusive): 11.6.14 has the fix. 11.5 and below are not affected.
12.0.0 (inclusive) to 12.1.10 (exclusive): 12.1.10 has the fix. 12.0 did not receive an update, as it is end-of-life.
12.2.0 (inclusive) to 12.2.8 (exclusive): 12.2.8 has the fix.
12.3.0 (inclusive) to 12.3.6 (exclusive): 12.3.6 has the fix.
12.4.0 (inclusive) to 12.4.2 (exclusive): 12.4.2 has the fix. 13.0.0 and above also have the fix: no v13 release is affected.

Database specific

{
    "severity": "Critical",
    "cpes": [
        "cpe:2.3:a:grafana:grafana:*:*:*:*:enterprise:*:*:*",
        "cpe:2.3:a:grafana:grafana:*:*:*:*:enterprise:go:*:*"
    ]
}

References

Affected packages

Bitnami / grafana

Package

Name: grafana
Purl: pkg:bitnami/grafana

Severity

9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

11.6.0

Fixed

11.6.14

Introduced

12.0.0

Fixed

12.1.10

Introduced

12.2.0

Fixed

12.2.8

Introduced

12.3.0

Fixed

12.3.6

Introduced

12.4.0

Fixed

12.4.2

Database specific

source

"https://github.com/bitnami/vulndb/tree/main/data/grafana/BIT-grafana-2026-27876.json"