CVE-2026-33380: Grafana: SQL Expressions Read File From Disk

May 13, 2026 (updated June 18, 2026)

A vulnerability in SQL Expressions allows an authenticated attacker to read arbitrary files from the Grafana server’s filesystem. Only instances with the sqlExpressions feature toggle enabled are vulnerable.

References

github.com/advisories/GHSA-gxcp-jjxh-rwp4
github.com/grafana/grafana/commit/fb7336fc36c14e1ff869482c5085ddb9f39e1b86
grafana.com/security/security-advisories/cve-2026-33380
nvd.nist.gov/vuln/detail/CVE-2026-33380

Code Behaviors & Features

Detect and mitigate CVE-2026-33380 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →