Critical Grafana flaws can lead to remote code execution and server crashes
5 min. read 
Published on
Grafana users need to patch quickly. Grafana Labs has released security fixes for two newly disclosed vulnerabilities, including one critical bug that can lead to remote code execution and another high-severity issue that can crash a server through unauthenticated requests. The fixes landed in Grafana 12.4.2 and backported releases for older supported branches.
The more dangerous flaw is CVE-2026-27876, which Grafana rates Critical with a CVSS score of 9.1. Grafana says the bug sits in the SQL Expressions feature and can let an attacker write arbitrary files to the server, which then opens a path to full code execution when combined with other components in the environment.
The second issue, CVE-2026-27880, is a High severity denial-of-service bug with a CVSS score of 7.5. Grafana says unauthenticated OpenFeature evaluation endpoints accept unbounded input into memory, which means a remote attacker can send oversized requests and force the Grafana server into an out-of-memory crash.
How the critical Grafana RCE bug works
Grafana says CVE-2026-27876 affects instances where the sqlExpressions feature toggle is enabled. According to the company, the feature allows query data to be transformed with SQL syntax, but that same behavior also made arbitrary file writes possible in a way that could be chained into remote code execution.
The attack is not fully unauthenticated. Grafana says an attacker needs permission to execute data source queries, which means Viewer access or higher. If that condition is met, the attacker can overwrite a Sqlyze driver or write an AWS data source configuration file and then use that foothold to reach full code execution.
Grafana also confirmed the chain can be severe enough to produce an unauthorized SSH connection to the underlying host. That detail matters because it moves the impact beyond dashboard abuse and into direct server compromise.
The DoS flaw is easier to reach
CVE-2026-27880 does not require authentication. Grafana says the vulnerable OpenFeature evaluation endpoints read unbounded input into memory, which gives an attacker a simple way to exhaust available memory and crash the instance.
That makes the second bug less powerful than the RCE issue, but easier to trigger. A remote attacker does not need an account, special privileges, or user interaction. They only need to hit the exposed endpoint with sufficiently large requests.
Grafana says this vulnerability affects versions 12.1.0 and later. The critical SQL Expressions issue has a slightly different exposure window, with impacted versions starting at 11.6.0 and later.
Affected and fixed versions
| Issue | Severity | Impact | Affected versions | Fixed versions |
|---|---|---|---|---|
| CVE-2026-27876 | Critical 9.1 | Arbitrary file write that can chain into RCE | 11.6.0 and later, with sqlExpressions enabled | 12.4.2, 12.3.6, 12.2.8, 12.1.10, 11.6.14 |
| CVE-2026-27880 | High 7.5 | Unauthenticated DoS via memory exhaustion | 12.1.0 and later | 12.4.2, 12.3.6, 12.2.8, 12.1.10, 11.6.14 |
Grafana says managed offerings received advance fixes under embargo. The company stated that Grafana Cloud was patched, and that Amazon Managed Grafana and Azure Managed Grafana had also confirmed their offerings were secure at the time of the public announcement.
That reduces the immediate risk for customers on managed services, but self-hosted teams still need to act. If you run Grafana on your own infrastructure, these bugs remain your patching problem until you upgrade or apply temporary mitigations.
What admins should do right now
The best fix is to upgrade to a patched version as soon as possible. Grafana’s published fixed versions are 12.4.2, 12.3.6, 12.2.8, 12.1.10, and 11.6.14.
If you cannot patch immediately, Grafana says you should disable the sqlExpressions feature toggle to reduce exposure to CVE-2026-27876. The company also says a stronger temporary mitigation requires both updating Sqlyze to at least v1.5.0 or disabling it, and disabling all AWS data sources. Grafana warns that these steps reduce risk but do not fully remediate the issue.
For CVE-2026-27880, Grafana recommends running in a highly available setup with automatic restarts and placing a reverse proxy in front of Grafana to limit request size. Grafana specifically notes that Cloudflare does this by default and that Nginx can enforce it through configuration.
Quick checklist
- Upgrade Grafana to a fixed release immediately
- Disable
sqlExpressionsif you cannot patch yet - Update Sqlyze to v1.5.0 or later, or disable it
- Disable AWS data sources if you must rely on the temporary RCE mitigation
- Put a reverse proxy in front of Grafana and limit request sizes
- Review whether exposed Grafana instances allow Viewer query execution
FAQ
CVE-2026-27876 is the more serious flaw. Grafana rates it Critical and says it can lead to remote code execution through arbitrary file writes when sqlExpressions is enabled.
Yes. Grafana says the attacker needs Viewer permissions or higher so they can execute data source queries.
Yes. Grafana says the OpenFeature evaluation endpoint accepts unbounded input without authentication, which can let a remote attacker crash the server.
Grafana says Grafana Cloud was patched under embargo, and that Amazon Managed Grafana and Azure Managed Grafana confirmed they were secure at the time of the announcement.
Grafana says the patched releases are 12.4.2, 12.3.6, 12.2.8, 12.1.10, and 11.6.14.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages