Grafana security release: Critical and high severity security fixes for CVE-2026-27876 and CVE-2026-27880
Today we are releasing Grafana 12.4.2 along with patches for Grafana 12.3, 12.2, 12.1, and 11.6, which include critical and high severity security fixes. We recommend that you install the newly released versions as soon as possible.
Grafana 12.4.2 with security fixes:
Grafana 12.3.6 with security fixes:
Grafana 12.2.8 with security fixes:
Grafana 12.1.10 with security fixes:
Grafana 11.6.14 with security fixes:
As per our security policy, Grafana Labs customers have received security patched versions two weeks in advance under embargo, and Grafana Cloud has been patched.
We have also coordinated closely with all cloud providers licensed to offer Grafana Cloud. They received early notification under embargo and confirmed that their offerings are secure at the time of this announcement. This is applicable to Amazon Managed Grafana and Azure Managed Grafana.
CVE-2026-27876: SQL expressions arbitrary file write enabling remote code execution
Grafana's SQL expressions feature enables transforming query data with familiar SQL syntax. This syntax, however, also permitted writing arbitrary files to the file system in such a way that one could chain several attack vectors to achieve remote code execution.
The CVSS score for this vulnerability is 9.1 CRITICAL (CVSS link).
The following prerequisites are required for this vulnerability:
- Access to execute data source queries (Viewer permissions or higher)
- The sqlExpressions feature toggle must be enabled on the Grafana instance.
Impact
An attacker with access to execute data source queries could overwrite a Sqlyze driver or write an AWS data source configuration file in order to achieve full remote code execution. We have confirmed this vulnerability could be exploited to acquire an SSH connection to the Grafana host.
Impacted versions
Grafana versions v11.6.0 and later are impacted by this vulnerability.
Solutions and mitigations
We recommend upgrading to one of the patched versions listed above as soon as possible.
If an upgrade is not immediately possible, the following workarounds reduce risk. Note: these may cause disruption to Grafana users and do not fully remediate the vulnerability.
Option 1: Disable the sqlExpressions feature toggle.
Option 2: Perform ALL of the following:
- If you have Sqlyze installed: update to at least v1.5.0 or disable it.
- Disable all AWS data sources you have installed.
CVE-2026-27880: Unauthenticated denial-of-service via OpenFeature endpoint
Grafana's OpenFeature feature flag validation endpoints do not require authentication and accept unbounded user input. This input is read into memory.
The CVSS score for this vulnerability is 7.5 HIGH (CVSS link).
Impact
An attacker could crash the Grafana server by sending requests that exhaust available memory.
Impacted versions
Grafana versions v12.1.0 and later are impacted by this vulnerability.
Solutions and mitigations
We recommend upgrading to one of the patched versions listed above as soon as possible.
If an upgrade is not immediately possible, any of the following workarounds reduces risk:
- Deploy Grafana in a highly available environment with automatic restarts.
- Implement a reverse proxy in front of Grafana that limits input payload size. Cloudflare does this by default. Nginx supports this via explicit configuration.
Timeline and post-incident review
Here is a detailed incident timeline. All times are in UTC.
CVE-2026-27876
Date/Time (UTC) | Event |
|---|---|
2025-02-06 | sqlExpressions feature reimplemented with MySQL syntax and released in v11.6.0 |
2026-02-23 13:33 | Internal incident declared |
2026-02-23 15:08 | Grafana Cloud patched |
2026-03-09 | Private release issued to customers under embargo |
2026-03-25 | Public release |
2026-03-26 04:00 | Blog published |
CVE-2026-27880
Date/Time (UTC) | Event |
|---|---|
2025-06-27 | New OpenFeature evaluation endpoint introduced and released in v12.1.0 |
2026-02-24 13:12 | Internal incident declared |
2026-02-24 17:49 | Grafana Cloud stacks not behind Cloudflare were patched; Cloudflare-backed stacks were not affected |
2026-03-09 | Private release issued to customers under embargo |
2026-03-25 | Public release |
2026-03-26 04:00 | Blog published |
Acknowledgements
We would like to thank Liad Eliyahu, Head of Research at Miggo Security, for responsibly disclosing CVE-2026-27876 through our bug bounty program.
CVE-2026-27880 was discovered internally by the Grafana Labs security team.
Reporting security issues
If you think you have found a security vulnerability, please go to our Report a security issue page to learn how to send a security report.
Grafana Labs will send you a response indicating the next steps in handling your report. After the initial reply to your report, the security team will keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance.
Important: We ask you to not disclose the vulnerability before it has been fixed and announced, unless you received a response from the Grafana Labs security team that you can do so.
You can also read more about our bug bounty program and have a look at our Security Hall of Fame.
Security announcements
We maintain a security advisories page, where we always post a summary, remediation, and mitigation details for any patch containing security fixes. You can also subscribe to our RSS feed.
