CVE-2026-27876

CRITICAL NVD

CVSS Score 9.1

Severity CRITICAL

Published Mar 27, 2026

Vendor unknown

Description

A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RCE). This is enabled by a feature in Grafana (OSS), so all users are always recommended to update to avoid future attack vectors going this path. Only instances with the sqlExpressions feature toggle enabled are vulnerable.

References

https://grafana.com/security/security-advisories/cve-2026-27876