CVE-2026-33380
6.3 MEDIUMA vulnerability in SQL Expressions allows an authenticated attacker to read arbitrary files from the Grafana server's filesystem
Published: 2026-05-13 · Last updated: 2026-06-16
Severity and scoring
- CVSS
- 6.3 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
- CWE
- CWE-552
Affected products
| Vendor | Product |
|---|---|
| grafana | grafana |
Description
A vulnerability in SQL Expressions allows an authenticated attacker to read arbitrary files from the Grafana server's filesystem. Only instances with the sqlExpressions feature toggle enabled are vulnerable.
Source: NVD
References
Related CVEs
Same vendor
- CVE-2026-33381 — When a user's access to mint tokens for a service account is revoked, it is sometimes still possible to do so for a few seconds after the... (5.9 MEDIUM)
- CVE-2026-33378 — Using the $__timeGroup macro, one can achieve an OOM by overloading the server (6.5 MEDIUM)
- CVE-2026-33377 — An Editor can overwrite a dashboard not owned by them to acquire admin on that specific dashboard (7.1 HIGH)
- CVE-2026-33376 — When using an IPv6 allow-list for the Auth Proxy feature, it defaults to /32 addresses (7.4 HIGH)
- CVE-2026-28383 — A request to the Grafana plugin resources endpoint can cause unbounded memory allocation by reading the entire request body into memory (6.5 MEDIUM)
Same CWE
- CVE-2025-14771 — Files or directories accessible to external parties vulnerability in ABB T-MAC Plus (9.9 CRITICAL)
- CVE-2026-45543 — Nextcloud is an open source content collaboration platform (5.3 MEDIUM)
- CVE-2026-40425 — The administrator account for the Danelec MacGregor Voyage Data Recorder web interface can directly edit sensitive files related to auth... (5.7 MEDIUM)
- CVE-2026-45088 — Dalfox is a powerful open-source XSS scanner and utility focused on automation (7.5 HIGH)
- CVE-2024-56462 — IBM QRadar 7.5.0 through 7.5.0 UP15 Interim Fix 002 could allow a privileged user to upload a malicious backup archive that could be rest... (7.2 HIGH)