MEDIUM 6.3

GHSA-gxcp-jjxh-rwp4

Grafana: SQL Expressions Read File From Disk

Details

A vulnerability in SQL Expressions allows an authenticated attacker to read arbitrary files from the Grafana server's filesystem. Only instances with the sqlExpressions feature toggle enabled are vulnerable.

Are you affected?

Enter the version of the package you're using.

Affected packages

Go / github.com/grafana/grafana

Introduced in: 0 Fixed in: 1.9.2-0.20260513165311-fb7336fc36c1

Fix go get github.com/grafana/grafana@v1.9.2-0.20260513165311-fb7336fc36c1

References

https://nvd.nist.gov/vuln/detail/CVE-2026-33380 [ADVISORY]
https://github.com/grafana/grafana/commit/fb7336fc36c14e1ff869482c5085ddb9f39e1b86 [WEB]
https://github.com/grafana/grafana [PACKAGE]
https://grafana.com/security/security-advisories/cve-2026-33380 [WEB]