CVE-2026-27876
Published: 27 March 2026
Summary
CVE-2026-27876 is a critical-severity Code Injection (CWE-94) vulnerability in Grafana Grafana. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the vulnerability by requiring timely patching of affected Grafana versions as recommended in the security advisory.
Mitigates the vulnerability by disabling unnecessary functionality such as the sqlExpressions feature toggle, which is required for exploitation.
Prevents code injection attacks like the SQL Expressions chaining to RCE by enforcing validation of user-supplied inputs.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2026-27876 is a code injection vulnerability in the public-facing Grafana web application leading to remote arbitrary code execution, directly mapping to T1190: Exploit Public-Facing Application.
NVD Description
A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RCE). This is enabled by a feature in Grafana (OSS), so all users are always recommended to update to avoid…
more
future attack vectors going this path. Only instances with the sqlExpressions feature toggle enabled are vulnerable. Only instances in the following version ranges are affected: - 11.6.0 (inclusive) to 11.6.14 (exclusive): 11.6.14 has the fix. 11.5 and below are not affected. - 12.0.0 (inclusive) to 12.1.10 (exclusive): 12.1.10 has the fix. 12.0 did not receive an update, as it is end-of-life. - 12.2.0 (inclusive) to 12.2.8 (exclusive): 12.2.8 has the fix. - 12.3.0 (inclusive) to 12.3.6 (exclusive): 12.3.6 has the fix. - 12.4.0 (inclusive) to 12.4.2 (exclusive): 12.4.2 has the fix. 13.0.0 and above also have the fix: no v13 release is affected.
Deeper analysisAI
CVE-2026-27876 is a code injection vulnerability (CWE-94) in Grafana OSS that enables a chained attack via the SQL Expressions feature and a Grafana Enterprise plugin, resulting in remote arbitrary code execution (RCE). It affects only instances with the sqlExpressions feature toggle enabled and is present in Grafana versions 11.6.0 (inclusive) to 11.6.14 (exclusive), 12.0.0 (inclusive) to 12.1.10 (exclusive), 12.2.0 (inclusive) to 12.2.8 (exclusive), 12.3.0 (inclusive) to 12.3.6 (exclusive), and 12.4.0 (inclusive) to 12.4.2 (exclusive). Versions 11.5 and below, as well as 13.0.0 and above, are unaffected. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H) and was published on 2026-03-27.
Attackers require high privileges (PR:H) to exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Successful exploitation chains the SQL Expressions feature with a Grafana Enterprise plugin, achieving RCE with a scope change (S:C) that grants high impacts on confidentiality, integrity, and availability of the affected Grafana instance.
The Grafana security advisory at https://grafana.com/security/security-advisories/cve-2026-27876 recommends updating to fixed versions, including 11.6.14, 12.1.10, 12.2.8, 12.3.6, 12.4.2, or 13.0.0 and later. Disabling the sqlExpressions feature toggle mitigates the issue, as only enabled instances are vulnerable. Version 12.0.0 is end-of-life and did not receive a patch.
Details
- CWE(s)