CVE-2026-33380
MediumCVSS 6.3Exploitation Probability (EPSS)
Low risk17th percentile - higher than 17% of all known CVEs
Summary
A vulnerability in SQL Expressions allows an authenticated attacker to read arbitrary files from the Grafana server's filesystem. Only instances with the sqlExpressions feature toggle enabled are vulnerable.
Risk Assessment
An attacker could gain access to sensitive data stored on the server, potentially leading to serious security breaches for the organization.
Recommendation
It is recommended to disable the sqlExpressions feature in Grafana instances to mitigate the risk associated with this vulnerability.
Original NVD description (English source)
A vulnerability in SQL Expressions allows an authenticated attacker to read arbitrary files from the Grafana server's filesystem. Only instances with the sqlExpressions feature toggle enabled are vulnerable.

