CVE-2026-27876

A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RCE). This is enabled by a feature in Grafana (OSS), so all users are always recommended to update to avoid future attack vectors going this path.<br /> <br /> Only instances with the sqlExpressions feature toggle enabled are vulnerable.<br /> <br /> Only instances in the following version ranges are affected:<br /> <br /> - 11.6.0 (inclusive) to 11.6.14 (exclusive): 11.6.14 has the fix. 11.5 and below are not affected.<br /> - 12.0.0 (inclusive) to 12.1.10 (exclusive): 12.1.10 has the fix. 12.0 did not receive an update, as it is end-of-life.<br /> - 12.2.0 (inclusive) to 12.2.8 (exclusive): 12.2.8 has the fix.<br /> - 12.3.0 (inclusive) to 12.3.6 (exclusive): 12.3.6 has the fix.<br /> - 12.4.0 (inclusive) to 12.4.2 (exclusive): 12.4.2 has the fix. 13.0.0 and above also have the fix: no v13 release is affected.