CVE Catalog

CVE-2026-33380

MediumCVSS 6.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.26%

17th percentile - higher than 17% of all known CVEs

Summary

A vulnerability in SQL Expressions allows an authenticated attacker to read arbitrary files from the Grafana server's filesystem. Only instances with the sqlExpressions feature toggle enabled are vulnerable.

Risk Assessment

An attacker could gain access to sensitive data stored on the server, potentially leading to serious security breaches for the organization.

Recommendation

It is recommended to disable the sqlExpressions feature in Grafana instances to mitigate the risk associated with this vulnerability.

Original NVD description (English source)

A vulnerability in SQL Expressions allows an authenticated attacker to read arbitrary files from the Grafana server's filesystem. Only instances with the sqlExpressions feature toggle enabled are vulnerable.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS