Home
MEDIUM: 6.3 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:NDefault status
unaffected
11.6.0 (semver)
affected
11.6.14 (custom) before 11.6.14+security-04
affected
12.0.0 (semver)
affected
12.2.8 (custom) before 12.2.8+security-04
affected
12.3.0 (semver)
affected
12.3.6 (custom) before 12.3.6+security-04
affected
12.4.0 (semver)
affected
12.4.3 (custom) before 12.4.3+security-02
affected
13.0.0 (semver)
affected
13.0.1 (custom) before 13.0.1+security-01
affected
Description
A vulnerability in SQL Expressions allows an authenticated attacker to read arbitrary files from the Grafana server's filesystem. Only instances with the sqlExpressions feature toggle enabled are vulnerable.
Product status
11.6.0 (semver)
11.6.14 (custom) before 11.6.14+security-04
12.0.0 (semver)
12.2.8 (custom) before 12.2.8+security-04
12.3.0 (semver)
12.3.6 (custom) before 12.3.6+security-04
12.4.0 (semver)
12.4.3 (custom) before 12.4.3+security-02
13.0.0 (semver)
13.0.1 (custom) before 13.0.1+security-01
References
grafana.com/security/security-advisories/cve-2026-33380