Home / Vulnerability Intelligence / CVE-2026-27876

CVE-2026-27876 - Vulnerability Analysis

CriticalCVSS: 9.1

Last Updated: March 27, 2026

Grafana Enterprise - Remote Code Execution

Published: March 27, 2026Updated: March 27, 2026Remote Exploitable

Overview

Grafana Enterprise plugin with sqlExpressions feature enabled contains a remote code execution caused by chained SQL expressions, letting remote attackers execute arbitrary code, exploit requires sqlExpressions feature enabled.

Severity & Score

Severity: Critical

CVSS Score: 9.1

Impact

Remote attackers can execute arbitrary code, potentially leading to full system compromise.

Mitigation

Update to the latest version of Grafana Enterprise plugin with sqlExpressions feature fixed or disabled.

References

https://grafana.com/security/security-advisories/cve-2026-27876

Related Resources

Details

CVE ID: CVE-2026-27876
Severity: Critical
CVSS Score: 9.1
Type: sql_injection
Status: new

CWE

CWE-94

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H