CVE-2026-27876

Name of the Vulnerable Software and Affected Versions Grafana versions prior to 12.4.2 Grafana versions 11.6.0 through 12.1.0

Description A chained attack involving SQL Expressions and a Grafana Enterprise plugin can lead to remote arbitrary code execution (RCE). The issue is enabled by the sqlExpressions feature in Grafana (OSS). Exploitation involves crafting malicious SQL expressions that, when processed by a vulnerable Grafana Enterprise plugin, can trigger code evaluation and lead to RCE. Approximately 83,000 instances globally are potentially exposed. The attack bypasses plugin signing, allowing execution without authentication via maliciously crafted plugin archives. The sqlExpressions feature toggle must be enabled for systems to be vulnerable. Exploitation can lead to SSH hijacking and complete system compromise.

Recommendations Update Grafana to version 12.4.2 or later. For versions 11.6.0 through 12.1.0, update immediately. Disable the sqlExpressions feature toggle if it is not required.