This vulnerability in Grafana OSS arises from the SQL Expressions functionality, which when enabled, permits an authenticated attacker with low privileges to read arbitrary files on the server filesystem. The affected versions include multiple releases from 11.6.0 up to 13.0.1. The CVSS 3.1 base score is 6.3, reflecting a medium severity with network attack vector, high attack complexity, low privileges required, no user interaction, and a confidentiality impact but no integrity or availability impact. The vulnerability is confirmed published but lacks an official fix or patch at this time.

An authenticated attacker with low privileges can exploit this vulnerability to read arbitrary files on the Grafana server, potentially exposing sensitive information. The impact is limited to confidentiality as there is no integrity or availability impact reported. Exploitation requires the sqlExpressions feature toggle to be enabled, which restricts the affected surface. No known active exploitation has been reported.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider disabling the sqlExpressions feature toggle if it is not required. Monitor Grafana vendor advisories for updates on patches or official mitigations. No other specific mitigations are provided by the vendor at this time.