UNKNOWNCVE-2026-27876
RCE on Grafana via sqlExpressions
Platform
other
Component
grafana-enterprise
Fixed in
v12.4.2
A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RCE). This is enabled by a feature in Grafana (OSS), so all users are always recommended to update to avoid future attack vectors going this path. Only instances with the sqlExpressions feature toggle enabled are vulnerable.
How to fix
Actualice Grafana Enterprise a la última versión disponible. Asegúrese de que la característica 'sqlExpressions' esté deshabilitada si no es necesaria. Consulte el advisory de seguridad de Grafana para obtener más detalles e instrucciones específicas.
Monitor your dependencies automatically
Get notified when new vulnerabilities affect your projects. Free forever.
Start free