CVE-2026-27876

Critical

Published: 27 March 2026

Published

27 March 2026

Modified

02 April 2026

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0014 34.2th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RCE). This is enabled by a feature in Grafana (OSS), so all users are always recommended to update to avoid…

future attack vectors going this path. Only instances with the sqlExpressions feature toggle enabled are vulnerable. Only instances in the following version ranges are affected: - 11.6.0 (inclusive) to 11.6.14 (exclusive): 11.6.14 has the fix. 11.5 and below are not affected. - 12.0.0 (inclusive) to 12.1.10 (exclusive): 12.1.10 has the fix. 12.0 did not receive an update, as it is end-of-life. - 12.2.0 (inclusive) to 12.2.8 (exclusive): 12.2.8 has the fix. - 12.3.0 (inclusive) to 12.3.6 (exclusive): 12.3.6 has the fix. - 12.4.0 (inclusive) to 12.4.2 (exclusive): 12.4.2 has the fix. 13.0.0 and above also have the fix: no v13 release is affected.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly addresses the vulnerability by requiring timely patching of affected Grafana versions as recommended in the security advisory.

CM-7 Least Functionality good match

prevent

Mitigates the vulnerability by disabling unnecessary functionality such as the sqlExpressions feature toggle, which is required for exploitation.

SI-10 Information Input Validation good match

prevent

Prevents code injection attacks like the SQL Expressions chaining to RCE by enforcing validation of user-supplied inputs.

Security SummaryAI

CVE-2026-27876 is a code injection vulnerability (CWE-94) in Grafana OSS that enables a chained attack via the SQL Expressions feature and a Grafana Enterprise plugin, resulting in remote arbitrary code execution (RCE). It affects only instances with the sqlExpressions feature toggle enabled and is present in Grafana versions 11.6.0 (inclusive) to 11.6.14 (exclusive), 12.0.0 (inclusive) to 12.1.10 (exclusive), 12.2.0 (inclusive) to 12.2.8 (exclusive), 12.3.0 (inclusive) to 12.3.6 (exclusive), and 12.4.0 (inclusive) to 12.4.2 (exclusive). Versions 11.5 and below, as well as 13.0.0 and above, are unaffected. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H) and was published on 2026-03-27.

Attackers require high privileges (PR:H) to exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Successful exploitation chains the SQL Expressions feature with a Grafana Enterprise plugin, achieving RCE with a scope change (S:C) that grants high impacts on confidentiality, integrity, and availability of the affected Grafana instance.

The Grafana security advisory at https://grafana.com/security/security-advisories/cve-2026-27876 recommends updating to fixed versions, including 11.6.14, 12.1.10, 12.2.8, 12.3.6, 12.4.2, or 13.0.0 and later. Disabling the sqlExpressions feature toggle mitigates the issue, as only enabled instances are vulnerable. Version 12.0.0 is end-of-life and did not receive a patch.

Details

CWE(s): CWE-94

Affected Products

grafana

≤ 11.6.0 · 11.6.14 — 12.0.0 · 12.1.10 — 12.2.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

CVE-2026-27876 is a code injection vulnerability in the public-facing Grafana web application leading to remote arbitrary code execution, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://grafana.com/security/security-advisories/cve-2026-27876
Vendor Advisory · security@grafana.com