CVE-2026-27876Code Injection in Grafana

CWE-94Code InjectionCWE-89SQL Injection6 documents6 sources
Severity
9.1CRITICALNVD
EPSS
0.1%
top 69.64%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Grafana
Timeline
PublishedMar 27

Description

A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RCE). This is enabled by a feature in Grafana (OSS), so all users are always recommended to update to avoid future attack vectors going this path. Only instances with the sqlExpressions feature toggle enabled are vulnerable. Only instances in the following version ranges are affected: - 11.6.0 (inclusive) to 11.6.14 (exclusive): 11.6.14 has the fix. 11.5 and below are not

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:HExploitability: 2.3 | Impact: 6.0

Affected Packages2 packages

CVEListV5grafana/grafana11.6.011.6.14+4
NVDgrafana/grafana11.6.1412.0.0+4

🔴Vulnerability Details

3
OSV
CVE-2026-27876: A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RCE)2026-03-27
GHSA
GHSA-736h-475m-xhjc: A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RCE)2026-03-27
CVEList
RCE on Grafana via sqlExpressions2026-03-27

📋Vendor Advisories

1
Red Hat
grafana: grafana-enterprise-plugin: Grafana: Remote arbitrary code execution via chained SQL Expressions and Enterprise plugin attack2026-03-27

🕵️Threat Intelligence

1
Wiz
CVE-2026-27876 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-27876 — Code Injection in Grafana | cvebase