Today we are releasing Grafana 12.4.2 along with security patches for Grafana 12.3, 12.2, 12.1, and 11.6, which include critical and high severity security fixes. We recommend that you install the newly released versions as soon as possible.

Grafana is an open-source analytics and monitoring platform that allows users to visualize and analyze metrics from various data sources. The Grafana blog covers topics such as data visualization, monitoring best practices, and new features in Grafana software. Developers and data engineers can learn how to leverage Grafana for monitoring infrastructure, analyzing performance metrics, and creating interactive dashboards for data-driven decision-making.

Grafana Labs

Grafana Labs has released security patches for Grafana 12.4.2, 12.3, 12.2, 12.1, and 11.6 addressing two vulnerabilities. CVE-2026-27876 (CVSS 9.1 CRITICAL) allows arbitrary file writes via the SQL expressions feature, enabling remote code execution including SSH access to the host — affecting v11.6.0 and later with the sqlExpressions feature toggle enabled. CVE-2026-27880 (CVSS 7.5 HIGH) is an unauthenticated denial-of-service via the OpenFeature endpoint that can crash the server through memory exhaustion — affecting v12.1.0 and later. Immediate upgrade is strongly recommended. Workarounds include disabling the sqlExpressions toggle, updating or disabling Sqlyze, and using a reverse proxy to limit payload size.

Grafana security release: Critical and high severity security fixes for CVE-2026-27876 and CVE-2026-27880

CVE-2026-27876: SQL expressions arbitrary file write enabling remote code execution

CVE-2026-27880: Unauthenticated denial-of-service via OpenFeature endpoint