CVE-2026-33380

Summary

A vulnerability in SQL Expressions allows an authenticated attacker to read arbitrary files from the Grafana server's filesystem. Only instances with the sqlExpressions feature toggle enabled are vulnerable.

Affected Software

VendorProductVersion RangeStatus
GrafanaGrafana OSS11.6.0 <= 11.6.14affected
GrafanaGrafana OSS11.6.14 < 11.6.14+security-04affected
GrafanaGrafana OSS12.0.0 <= 12.2.8affected
GrafanaGrafana OSS12.2.8 < 12.2.8+security-04affected
GrafanaGrafana OSS12.3.0 <= 12.3.6affected
GrafanaGrafana OSS12.3.6 < 12.3.6+security-04affected
GrafanaGrafana OSS12.4.0 <= 12.4.3affected
GrafanaGrafana OSS12.4.3 < 12.4.3+security-02affected
GrafanaGrafana OSS13.0.0 <= 13.0.1affected
GrafanaGrafana OSS13.0.1 < 13.0.1+security-01affected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References