EUVD-2026-30145
Files or Directories Accessible to External Parties (CWE-552)
GHSA-gxcp-jjxh-rwp4
6.5
CVSS 3.1 · NVD
Share
Severity by source
NVD
PRIMARY
6.5
MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
SUSE
6.3
MEDIUM
AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
Red Hat
6.3
MEDIUM
qualitative
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Lifecycle Timeline
3
CVSS changed
Jun 16, 2026 - 19:37 NVD
6.3 (MEDIUM)
6.5 (MEDIUM)
Analysis Generated
Jun 08, 2026 - 12:40 vuln.today
Patch available
May 13, 2026 - 21:02 EUVD
DescriptionNVD
A vulnerability in SQL Expressions allows an authenticated attacker to read arbitrary files from the Grafana server's filesystem. Only instances with the sqlExpressions feature toggle enabled are vulnerable.
AnalysisAI
Arbitrary file read in Grafana OSS exposes server filesystem contents to authenticated low-privilege users when the sqlExpressions feature toggle is enabled. Affected versions span the 11.6.x, 12.x, and 13.0.x release trains, with fixed security builds available across all affected branches. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Access
Authenticate as low-privilege Grafana user
Delivery
Target instance with sqlExpressions toggle enabled
Exploit
Craft SQL expression referencing filesystem path
Execution
Submit query via Grafana API or UI
Impact
Server returns arbitrary file contents
Access
Authenticate as low-privilege Grafana user
Delivery
Target instance with sqlExpressions toggle enabled
Exploit
Craft SQL expression referencing filesystem path
Execution
Submit query via Grafana API or UI
Impact
Server returns arbitrary file contents
Vulnerability AssessmentAI
| Exploitation | Exploitation requires two concurrent conditions: first, the sqlExpressions feature toggle must be explicitly enabled in the Grafana instance configuration - this is a non-default setting that must be deliberately activated by an administrator; second, the attacker must hold a valid authenticated Grafana account with at least low-privilege access (PR:L per CVSS vector). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 6.3 score reflects meaningful but bounded risk: the network attack vector (AV:N) confirms remote reachability, but high attack complexity (AC:H) and low privilege requirement (PR:L) together indicate exploitation is not trivial and requires an authenticated session plus non-default configuration. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a valid low-privilege Grafana account on an instance where the sqlExpressions feature toggle has been enabled crafts a malicious SQL expression referencing a sensitive filesystem path (such as /etc/passwd or application secret files) and submits it through the Grafana query interface or API. The server evaluates the expression and returns the file contents in the query response, allowing the attacker to systematically enumerate and exfiltrate sensitive server-side files. … |
| Remediation | The primary remediation is to upgrade Grafana OSS to the appropriate security-patched release for your branch: 11.6.14+security-04, 12.2.8+security-04, 12.3.6+security-04, 12.4.3+security-02, or 13.0.1+security-01, as detailed in the Grafana security advisory at https://grafana.com/security/security-advisories/cve-2026-33380. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Vendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| SUSE Linux Enterprise Module for Package Hub 15 SP7 | Fixed |
| SUSE Manager Client Tools 15 | Fixed |
| SUSE Manager Client Tools for SLE 15 | Fixed |
| SUSE Multi-Linux Manager Client Tools for SLE 15 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP4 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Fixed |
| openSUSE Leap 15.3 | Fixed |
| openSUSE Leap 15.4 | Fixed |
| openSUSE Leap 15.5 | Fixed |
| openSUSE Leap 15.6 | Fixed |
| SUSE Multi Linux Manager Tools SLE-15 | Fixed |
| ses/7.1/ceph/grafana ses/7/ceph/grafana suse/multi-linux-manager/5.2/x86_64/monitoring-grafana | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
Destination URL
POC code from unknown sources may be malicious, contain backdoors, or be fake.
Always review and test exploit code in a safe, isolated environment (VM/sandbox).
Verify the source reputation and cross-reference with known databases (Exploit-DB, GitHub Security).