CVE-2026-33380 Overview
CVE-2026-33380 is an arbitrary file read vulnerability in Grafana's SQL Expressions feature. An authenticated attacker can abuse the feature to read files from the Grafana server's filesystem. Only Grafana instances with the sqlExpressions feature toggle enabled are affected by the issue.
The flaw was disclosed in the Grafana Security Advisory and published to the National Vulnerability Database (NVD) on May 13, 2026. Exploitation requires valid Grafana credentials and network access to the server.
Critical Impact
An authenticated attacker can read arbitrary files on the Grafana server, exposing configuration secrets, credentials, and other sensitive data accessible to the Grafana process.
Affected Products
- Grafana instances with the sqlExpressions feature toggle enabled
- Grafana Enterprise deployments using SQL Expressions
- Grafana Cloud tenants with SQL Expressions opted in
Discovery Timeline
- 2026-05-13 - CVE-2026-33380 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-33380
Vulnerability Analysis
Grafana's SQL Expressions feature lets users run SQL queries against query results from other data sources. The implementation uses an embedded SQL engine to evaluate expressions on Grafana-managed data. The vulnerability arises because the SQL evaluation path exposes functionality that resolves filesystem paths supplied by the user.
An authenticated user with permission to build queries can craft a SQL expression that references a local file path. The backend reads the referenced file and returns its contents through the query response. This breaks the trust boundary between the Grafana application user and the host filesystem.
The issue is classified as an information disclosure flaw through path traversal in a server-side query interpreter. It does not grant write access or code execution, but the data exposure scope is broad: any file readable by the Grafana service account can be retrieved.
Root Cause
The SQL Expressions engine accepts user-controlled input that influences file resolution operations without enforcing a filesystem sandbox. There is no allowlist restricting access to expected data directories, and user-supplied paths are not validated against the Grafana data root.
Attack Vector
Attack prerequisites are network access to the Grafana web interface, valid authenticated credentials, and a target instance with the sqlExpressions feature toggle enabled. The attacker submits a query containing a SQL expression that points at a sensitive file such as /etc/passwd, grafana.ini, or files holding API tokens. Grafana returns the file contents in the query response. The attack does not require user interaction beyond the attacker's own session.
No verified proof-of-concept code is available in public sources. See the Grafana Security Advisory for vendor technical detail.
Detection Methods for CVE-2026-33380
Indicators of Compromise
- Grafana query logs showing SQL Expression requests containing absolute filesystem paths or traversal sequences such as ../
- Unexpected access to sensitive paths like /etc/, /proc/, grafana.ini, or provisioning directories by the Grafana process
- Query results in audit logs containing file content patterns (configuration syntax, key material, /bin/bash shell entries)
Detection Strategies
- Enable Grafana audit logging and forward events to a SIEM for analysis of SQL Expression query bodies
- Alert on any SQL Expression query whose payload references filesystem paths outside expected query semantics
- Correlate Grafana process file-access telemetry with the user session that submitted the originating query
Monitoring Recommendations
- Track which users have query-edit permissions on instances where sqlExpressions is enabled
- Monitor for the sqlExpressions feature toggle being enabled across managed Grafana deployments
- Review outbound responses from Grafana for unusually large or text-heavy query result payloads consistent with file dumps
How to Mitigate CVE-2026-33380
Immediate Actions Required
- Upgrade Grafana to a version that contains the fix referenced in the Grafana Security Advisory
- Disable the sqlExpressions feature toggle on instances that do not require it
- Rotate any credentials, API tokens, or secrets stored on the Grafana host that may have been exposed to authenticated users
Patch Information
Grafana has issued fixed releases addressing the SQL Expressions file read path. Refer to the vendor's Grafana Security Advisory for the specific fixed version numbers that match your deployment channel (OSS, Enterprise, or Cloud). Grafana Cloud tenants are patched by the vendor.
Workarounds
- Remove sqlExpressions from the feature_toggles.enable setting in grafana.ini until patching is complete
- Restrict query-editor and Editor role assignments to a minimal trusted set of users
- Run the Grafana process under a dedicated low-privilege account with no read access to host secrets or unrelated configuration files
# Disable the sqlExpressions feature toggle in grafana.ini
[feature_toggles]
enable =
# Then restart the service
sudo systemctl restart grafana-server
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
