CVE-2026-33380
SQL Expressions Read File From Disk
6.3
MEDIUM
CVSS 3.1
EPSS 0.01%
Description
A vulnerability in SQL Expressions allows an authenticated attacker to read arbitrary files from the Grafana server's filesystem. Only instances with the sqlExpressions feature toggle enabled are vulnerable.
How to fix CVE-2026-33380
To remediate CVE-2026-33380, upgrade the affected package to a fixed version below.
- Bitnami/grafana—upgrade to 11.6.14 or later
Is CVE-2026-33380 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 11.6.0, < 11.6.14, >= 12.0.0, < 12.2.8, >= 12.3.0, < 12.3.6, >= 12.4.0, < 12.4.3, >= 13.0.0, < 13.0.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.3 | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N |