What is the CVSS score of CVE-2026-27876?

CVE-2026-27876 has a CVSS 3.1 base score of 9.1 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Grafana are affected by CVE-2026-27876?

A critical remote code execution vulnerability in Grafana enables authenticated administrators to achieve complete system compromise through a chained SQL expression attack.. A patch is available.

How to fix or mitigate CVE-2026-27876?

Within 24 hours: Audit all Grafana instances for sqlExpressions feature toggle status and disable the feature immediately on all affected deployments; restrict administrative access to Grafana to only essential personnel and enforce multi-factor authentication on all admin accounts. Within 7 days: Review access logs for suspicious administrative activity and credential compromise indicators; identify and isolate any Grafana Enterprise plugin deployments tied to SQL expression functionality. Within 30 days: Monitor Grafana security advisories for patch release; deploy patched versions to all instances as soon as vendor releases a fix, prioritizing Enterprise deployments.

Grafana CVE-2026-27876

EUVD-2026-16634 CRITICAL

Code Injection (CWE-94)

2026-03-27 GRAFANA

Grafana RCE Code Injection Red Hat Suse

9.1

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

9.1 CRITICAL

AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

SUSE

CRITICAL

qualitative

Red Hat

9.1 CRITICAL

qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch released

Apr 10, 2026 - 08:30 nvd

Patch available

EUVD ID Assigned

Mar 27, 2026 - 14:45 euvd

EUVD-2026-16634

Analysis Generated

Mar 27, 2026 - 14:45 vuln.today

CVE Published

Mar 27, 2026 - 14:24 nvd

CRITICAL 9.1

DescriptionCVE.org

A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RCE). This is enabled by a feature in Grafana (OSS), so all users are always recommended to update to avoid future attack vectors going this path.

Only instances with the sqlExpressions feature toggle enabled are vulnerable.

AnalysisAI

Remote code execution is achievable in Grafana installations through a chained attack combining SQL Expressions with a Grafana Enterprise plugin, affecting both open-source and Enterprise deployments. The vulnerability requires high-privilege authenticated access (PR:H) but enables cross-scope impact with complete system compromise once exploited. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Enable sqlExpressions feature toggle

Exploit

Craft malicious SQL expression payload

Execution

Inject code through Grafana Enterprise plugin

Impact

Execute arbitrary code on server

Access

Enable sqlExpressions feature toggle

Exploit

Craft malicious SQL expression payload

Execution

Inject code through Grafana Enterprise plugin

Impact

Execute arbitrary code on server

Vulnerability AssessmentAI

Exploitation	Requires Grafana (OSS or Enterprise) with the sqlExpressions feature toggle explicitly enabled. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS score of 9.1 (Critical) reflects the severe impact potential with complete confidentiality, integrity, and availability compromise plus changed scope. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An authenticated attacker with high-privilege administrative access to a Grafana instance with sqlExpressions enabled crafts a malicious SQL expression that chains with a Grafana Enterprise plugin to inject and execute arbitrary code on the server. The low attack complexity suggests exploitation involves straightforward interaction with existing Grafana features rather than complex race conditions or timing attacks. …
Remediation	Update Grafana installations to the patched version specified in the Grafana security advisory at https://grafana.com/security/security-advisories/cve-2026-27876. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all Grafana instances for sqlExpressions feature toggle status and disable the feature immediately on all affected deployments; restrict administrative access to Grafana to only essential personnel and enforce multi-factor authentication on all admin accounts. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-11769 MEDIUM This Month

6.4 Jun 13

Privilege escalation in Grafana Operator (all versions ≤ 5.23) allows any user with Kubernetes RBAC permissions to creat

Vendor StatusVendor

SUSE

Severity: Critical

Product	Status
SUSE Linux Enterprise Module for Package Hub 15 SP7	Fixed
SUSE Manager Client Tools 15	Fixed
SUSE Manager Client Tools for SLE 15	Fixed
SUSE Multi-Linux Manager Client Tools for SLE 15	Fixed
openSUSE Leap 15.6	Fixed

CVE-2026-27876 vulnerability details – vuln.today

Back

Grafana CVE-2026-27876

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

More from same product – last 7 days

Vendor StatusVendor

SUSE

Share

External POC / Exploit Code