CVE-2026-27876

Name of the Vulnerable Software and Affected Versions: Grafana versions 11.6.0 through 11.6.14, 12.0.0 through 12.1.10, 12.2.0 through 12.2.8, 12.3.0 through 12.3.6, and 12.4.0 through 12.4.2.

Description: A chained attack involving SQL Expressions and a Grafana Enterprise plugin can lead to remote arbitrary code execution (RCE). The issue is enabled by the sqlExpressions feature in Grafana (OSS). Exploitation involves injecting malicious SQL expressions that, when processed by a vulnerable Grafana Enterprise plugin, can trigger code evaluation and lead to RCE. Approximately 83,000 instances are estimated to be exposed globally. The vulnerability allows for full system compromise, potentially including authentication bypass and SSH access to host servers.

Recommendations: Upgrade to Grafana version 11.6.14 or later. Upgrade to Grafana version 12.1.10 or later. Upgrade to Grafana version 12.2.8 or later. Upgrade to Grafana version 12.3.6 or later. Upgrade to Grafana version 12.4.2 or later. Disable the sqlExpressions feature toggle if an immediate upgrade is not possible.