CVE-2026-33380 MEDIUM

CVE-2026-33380: SQL Expressions Read File From Disk

Vendor Grafana
Product Grafana OSS
Published May 13, 2026
Last update June 12, 2026

CVSS base score

6.3/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

What the vulnerability does

01Description

A vulnerability in SQL Expressions allows an authenticated attacker to read arbitrary files from the Grafana server's filesystem. Only instances with the sqlExpressions feature toggle enabled are vulnerable.

Key dates

02Disclosure timeline

May 13, 2026 CVE published
June 12, 2026 Record updated