SQL Expressions Read File From Disk
Medium
| Advisory ID: | CVE-2026-33380 |
| Published: | 2026-05-13 |
| Product: | Grafana |
| CVSS Score: | 6.3 |
| CVSS Vector: | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N |
| Fixed Versions: | >=11.6.14+security-04 >=12.2.8+security-04 >=12.3.6+security-04 >=12.4.3+security-02 >=13.0.1+security-01 |
Summary
A vulnerability in SQL Expressions allows an authenticated attacker to read arbitrary files from the Grafana server’s filesystem. Only instances with the
sqlExpressions feature toggle enabled are vulnerable.