SQL to SSH: Critical 9.1 CVSS RCE in Grafana Turns Monitoring into a Remote Hijack

The Grafana team has released an urgent security advisory following the discovery of two significant vulnerabilities that could allow attackers to hijack servers or crash instances. The release of Grafana 12.4.2, alongside patches for versions 12.3, 12.2, 12.1, and 11.6, addresses a critical Remote Code Execution (RCE) flaw and a high-severity Denial-of-Service (DoS) vulnerability.

Security teams are advised to “install the newly released versions as soon as possible” to protect their monitoring infrastructure.

The most severe threat, tracked as CVE-2026-27876 (CVSS 9.1), lies within Grafana’s SQL expressions feature. This tool is designed to help users transform query data using familiar SQL syntax, but a flaw in how it handles file writes has turned it into a dangerous entry point.

According to the advisory:

“This syntax, however, also permitted writing arbitrary files to the file system in such a way that one could chain several attack vectors to achieve remote code execution”.

How the attack works:

• Requirements: An attacker only needs Viewer permissions or higher to execute data source queries.
• The Exploit: By enabling the sqlExpressions feature toggle, an attacker can overwrite a Sqlyze driver or create a malicious AWS data source configuration file.
• The Result: Successful exploitation can grant a full SSH connection to the Grafana host.

The second flaw, CVE-2026-27880 (CVSS 7.5), targets Grafana’s OpenFeature endpoints. These endpoints currently do not require authentication and, more importantly, accept “unbounded user input”.

Because this input is read directly into memory, an unauthenticated attacker can crash the server by sending massive requests that exhaust all available system memory. This vulnerability impacts versions v12.1.0 and later.

The primary recommendation for all administrators is a full upgrade to the latest patched versions. However, for those who cannot update immediately, several workarounds are available:

Vulnerability	Mitigation Options
CVE-2026-27876 (RCE)	• Disable the sqlExpressions feature toggle . • Update Sqlyze to v1.5.0 or disable it . • Disable all installed AWS data sources.
CVE-2026-27880 (DoS)	• Deploy Grafana in a highly available environment with automatic restarts . • Use a reverse proxy (like Nginx or Cloudflare) to limit input payload size.

Administrators should note that while these workarounds reduce risk, “they may cause disruption to Grafana users and do not fully remediate the vulnerability”.