CVE-2026-27876

CRITICAL CVSS 9.1 View on NVD ↗

Description

A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RCE). This is enabled by a feature in Grafana (OSS), so all users are always recommended to update to avoid future attack vectors going this path. Only instances with the sqlExpressions feature toggle enabled are vulnerable.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

References

https://grafana.com/security/security-advisories/cve-2026-27876

Published: Mar 27, 2026 15:16 UTC Modified: Mar 27, 2026 17:16 UTC