Grafana Enterprise Plugin SQL Expression RCE via CVE-2026-27876
A chained attack leveraging SQL Expressions and a Grafana Enterprise plugin, tracked as CVE-2026-27876, can lead to remote arbitrary code execution on vulnerable Grafana instances with the sqlExpressions feature enabled.
CVE-2026-27876 describes a critical vulnerability in Grafana that allows for remote arbitrary code execution (RCE). The vulnerability stems from a chained attack involving SQL Expressions and a Grafana Enterprise plugin. Successful exploitation requires the sqlExpressions feature toggle to be enabled on the Grafana instance. Grafana Labs strongly recommends that all users update their Grafana instances to the latest version to mitigate the risk of exploitation, even if the sqlExpressions…
Detection coverage 2
Detect Suspicious Grafana SQL Expression Usage
highDetects potential exploitation attempts leveraging SQL Expressions in Grafana by identifying unusual SQL queries within Grafana logs.
Detect Grafana Enterprise Plugin SQL Injection Attempts
criticalDetects potential SQL injection attempts targeting Grafana Enterprise plugins by monitoring for suspicious SQL syntax in HTTP requests.
Detection queries are kept inside the platform. Get full rules →
Indicators of compromise
1
1
url