Skip to main content

Grafana Snowflake Datasource CVE-2026-28381

| EUVD-2026-38244 CRITICAL
2026-06-22 GRAFANA GHSA-v3c5-p4mq-9369
Grafana Information Disclosure Snowflake Datasource
9.6
CVSS 3.1 · Vendor: GRAFANA
Share

Severity by source

Vendor (GRAFANA) PRIMARY
9.6 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
vuln.today AI
9.6 CRITICAL

Authenticated query user (PR:L) over the network triggers Snowflake GET/PUT, crossing the datasource trust boundary (S:C) for full file read/write (C:H/I:H) with no availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

Primary rating from Vendor (GRAFANA).

CVSS VectorVendor: GRAFANA

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 22, 2026 - 15:15 vuln.today
CVE Published
Jun 22, 2026 - 13:20 cve.org
CRITICAL 9.6

DescriptionCVE.org

The Snowflake datasource allows for GET/PUT commands, which can allow any user with access to run queries against the data source to read/write files between the local grafana server and the connected Snowflake host.

Articles & Coverage 1

News Critical Arbitrary File Read/Write in Grafana Snowflake Plugin - CVE-2026-28381 Jun 22, 2026

AnalysisAI

Arbitrary file read and write in the Grafana Snowflake datasource plugin (versions 1.14.7 through 1.14.12) allows authenticated users with query permissions to invoke Snowflake GET/PUT commands and transfer files between the Grafana server's local filesystem and the connected Snowflake host. The CVSS 9.6 score reflects a scope-changing flaw (S:C) where low-privileged datasource users can pivot beyond the plugin's intended trust boundary; no public exploit identified at time of analysis.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege Grafana credentials
Delivery
Reach Grafana HTTP API over network
Exploit
Submit query with Snowflake GET/PUT to vulnerable datasource
Execution
Read or overwrite files on Grafana server filesystem
Persist
Exfiltrate secrets or plant malicious provisioning content
Impact
Escalate to broader Grafana/Snowflake compromise
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Requires an authenticated Grafana user account with permission to execute queries against a configured Snowflake datasource (PR:L per CVSS), and the target Grafana instance must have the Snowflake datasource plugin installed at version 1.14.7-1.14.12. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N) is consistent with a network-reachable, low-privilege authenticated attack that crosses a security boundary - any Grafana viewer/editor able to query the Snowflake datasource can read or overwrite files on the Grafana server, which is a severe trust-boundary break and justifies the 9.6 rating. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a low-privilege Grafana account that can query a Snowflake datasource (for example, a compromised analyst login) issues a crafted query containing a Snowflake GET command to read sensitive files such as /etc/grafana/grafana.ini or provisioning secrets from the Grafana host, then uses PUT to overwrite a dashboard provisioning file or plugin asset to escalate impact. Because S:C, the damage extends beyond the datasource process to the Grafana server filesystem and potentially to the connected Snowflake stage.
Remediation Upgrade the Grafana Snowflake datasource plugin to a version above 1.14.12 as published in the vendor advisory at https://grafana.com/security/security-advisories/cve-2026-28381 (patch available per vendor advisory; exact fixed version should be confirmed against that page). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

24 hours: Inventory all Grafana instances running Snowflake datasource plugin versions 1.14.7 through 1.14.12; disable or air-gap affected deployments if not immediately operationally critical; audit active user accounts with datasource query permissions and review Snowflake audit logs for recent GET/PUT command activity. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-46608 HIGH
7.4 Jun 22

Cross-origin data exposure in Glances XML-RPC server (versions 4.5.3 through 4.5.4) allows any malicious web page to rea
CVE-2026-27878 MEDIUM
6.5 Jun 19

Grafana Tempo and Enterprise Traces (GET) are vulnerable to an authenticated denial-of-service condition triggered by su

Share

CVE-2026-28381 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy