This vulnerability (CVE-2026-27876) in Grafana Enterprise arises from a chained attack vector involving SQL Expressions and a plugin, enabling remote code execution. It specifically affects versions with the sqlExpressions feature enabled within the version ranges 11.6.0 to before 11.6.14, 12.0.0 to before 12.1.10, 12.2.0 to before 12.2.8, 12.3.0 to before 12.3.6, and 12.4.0 to before 12.4.2. The vulnerability is addressed in versions 11.6.14, 12.1.10, 12.2.8, 12.3.6, 12.4.2, and all versions 13.0.0 and later. The CVSS 3.1 base score is 9.1, reflecting network attack vector, low attack complexity, high privileges required, no user interaction, and complete impact on confidentiality, integrity, and availability. The vulnerability is categorized under CWE-94 (Improper Control of Generation of Code).

Successful exploitation of this vulnerability can lead to remote arbitrary code execution, compromising the confidentiality, integrity, and availability of the affected system. This can allow attackers with high privileges to execute code remotely without user interaction. The vulnerability affects only instances with the sqlExpressions feature enabled and specific vulnerable versions. There are no known exploits in the wild at the time of publication.

A fix is available in Grafana Enterprise versions 11.6.14, 12.1.10, 12.2.8, 12.3.6, 12.4.2, and all versions 13.0.0 and above. Users should update affected instances to these fixed versions to remediate the vulnerability. Instances with the sqlExpressions feature toggle disabled are not vulnerable. Since this is not a cloud service, remediation depends on user patching. Patch status is confirmed by the vendor advisory embedded in the version information.