Cyber Resilience

CVE-2026-27876

CriticalRCEUpdated

Published: 27 March 2026

Published
27 March 2026
Modified
27 June 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0128 66.3th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-27876 is a critical-severity Code Injection (CWE-94) vulnerability in Grafana Grafana. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 33.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-27876 is a code injection vulnerability (CWE-94) in Grafana OSS that enables a chained attack via the SQL Expressions feature and a Grafana Enterprise plugin, resulting in remote arbitrary code execution (RCE). It affects only instances with the sqlExpressions feature toggle enabled and is present in Grafana versions 11.6.0 (inclusive) to 11.6.14 (exclusive), 12.0.0 (inclusive) to 12.1.10 (exclusive), 12.2.0 (inclusive) to 12.2.8 (exclusive), 12.3.0 (inclusive) to 12.3.6 (exclusive), and 12.4.0 (inclusive) to 12.4.2 (exclusive). Versions 11.5 and below, as well as 13.0.0 and above, are unaffected. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H) and was published on 2026-03-27.

Attackers require high privileges (PR:H) to exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Successful exploitation chains the SQL Expressions feature with a Grafana Enterprise plugin, achieving RCE with a scope change (S:C) that grants high impacts on confidentiality, integrity, and availability of the affected Grafana instance.

The Grafana security advisory at https://grafana.com/security/security-advisories/cve-2026-27876 recommends updating to fixed versions, including 11.6.14, 12.1.10, 12.2.8, 12.3.6, 12.4.2, or 13.0.0 and later. Disabling the sqlExpressions feature toggle mitigates the issue, as only enabled instances are vulnerable. Version 12.0.0 is end-of-life and did not receive a patch.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RCE). This is enabled by a feature in Grafana (OSS), so all users are always recommended to update to avoid…

more

future attack vectors going this path. Only instances with the sqlExpressions feature toggle enabled are vulnerable. Only instances in the following version ranges are affected: - 11.6.0 (inclusive) to 11.6.14 (exclusive): 11.6.14 has the fix. 11.5 and below are not affected. - 12.0.0 (inclusive) to 12.1.10 (exclusive): 12.1.10 has the fix. 12.0 did not receive an update, as it is end-of-life. - 12.2.0 (inclusive) to 12.2.8 (exclusive): 12.2.8 has the fix. - 12.3.0 (inclusive) to 12.3.6 (exclusive): 12.3.6 has the fix. - 12.4.0 (inclusive) to 12.4.2 (exclusive): 12.4.2 has the fix. 13.0.0 and above also have the fix: no v13 release is affected.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

CVE-2026-27876 is a code injection vulnerability in the public-facing Grafana web application leading to remote arbitrary code execution, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33376Same product: Grafana Grafana
CVE-2026-27880Same product: Grafana Grafana
CVE-2026-27877Same product: Grafana Grafana
CVE-2026-21720Same product: Grafana Grafana
CVE-2026-33377Same product: Grafana Grafana
CVE-2026-21721Same product: Grafana Grafana
CVE-2025-50567Shared CWE-89, CWE-94
CVE-2025-41118Same vendor: Grafana
CVE-2026-28377Same vendor: Grafana
CVE-2026-24956Shared CWE-89

Affected Assets

grafana
grafana
≤ 11.6.0 · 11.6.14 — 12.0.0 · 12.1.10 — 12.2.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the vulnerability by requiring timely patching of affected Grafana versions as recommended in the security advisory.

prevent

Mitigates the vulnerability by disabling unnecessary functionality such as the sqlExpressions feature toggle, which is required for exploitation.

prevent

Prevents code injection attacks like the SQL Expressions chaining to RCE by enforcing validation of user-supplied inputs.

References