Observability Digest 2026-04-12

Grafana security release: Critical and high severity security fixes for CVE-2026-27876 and CVE-2026-27880

Grafana Labs Blog

Grafana just patched two nasty vulnerabilities that should move to the top of your upgrade queue this week. The first is a legitimate RCE chain scoring 9.1 on CVSS, while the second is an unauthenticated memory exhaustion DoS. Both are actively exploitable with relatively low complexity, and the RCE has already been confirmed to yield SSH access to the Grafana host.

CVE-2026-27876 is the more severe issue. The SQL expressions feature, which lets you transform query results using SQL syntax, was reimplemented with MySQL syntax in version 11.6.0 back in February 2025. That reimplementation introduced the ability to write arbitrary files to the filesystem through SQL expressions. The attack chain works by either overwriting a Sqlyze driver or crafting an AWS data source configuration file, both of which can be leveraged for full RCE. Any user with Viewer permissions or higher can execute data source queries, which means your threat model here includes any authenticated user, not just admins.

The critical detail: this only affects instances where the sqlExpressions feature toggle is enabled. If you're running Grafana 11.6.0 or later and haven't explicitly enabled this toggle, you're not vulnerable to the RCE. That said, feature toggles are often enabled in testing or staging environments and forgotten about, so audit your entire fleet. The workaround options are disruptive: either disable sqlExpressions entirely, or if you need it, update Sqlyze to v1.5.0+ and disable all AWS data sources. Neither is a complete fix, so treat them as temporary measures while you schedule the upgrade.

CVE-2026-27880 is more straightforward but still painful. Starting in version 12.1.0, Grafana introduced OpenFeature evaluation endpoints that don't require authentication and accept unbounded input directly into memory. An attacker can simply send large payloads to crash your Grafana instances. The CVSS score of 7.5 reflects the ease of exploitation and the lack of authentication required. This is the kind of vulnerability that gets scripted into automated scanning tools within days of disclosure.

The mitigation story here is better. If you're running Grafana behind Cloudflare, you were never vulnerable since Cloudflare limits payload sizes by default. Otherwise, you can configure payload limits in nginx with client_max_body_size or deploy Grafana in HA with automatic restarts to reduce downtime. These workarounds are more viable than the RCE mitigations, but they're still just buying time.

Grafana's disclosure timeline is worth noting. They gave paying customers and cloud providers two weeks of early access to patches under embargo, and Grafana Cloud was patched within hours of internal incident declaration. If you're self-hosting, you're working with publicly available patches now, which means attackers have the same information. The RCE was responsibly disclosed through their bug bounty program, while the DoS was found internally.

Patched versions are available across five release branches: 12.4.2, 12.3.6, 12.2.8, 12.1.10, and 11.6.14. If you're still on 11.5.x or earlier, you're not vulnerable to either issue, but you should have an upgrade plan anyway given the age of those releases. For everyone else, this is a patch-now situation. The RCE in particular has a confirmed exploit path, and the window between public disclosure and active exploitation is measured in days, not weeks.

Read original source →

Related Articles

Kubernetes attributes in OpenTelemetry Semantic Conventions have reached release candidate status, enabling standardized telemetry enrichment across k8sattributes and resourcedetection processors. This stabilization allows users to test the new schema via feature gates before final release, reducing future breaking changes in production observability pipelines.

OpenTelemetry Blog

Grafana Cloud's Private Data Source Connect (PDC) enables secure access to relational databases in private networks via encrypted SSH tunnels, and when combined with Grafana Assistant (an LLM), allows users to generate complex SQL queries and dashboards using natural language prompts without manual SQL expertise. The article demonstrates this with a PostgreSQL example and provides a Terraform blueprint for automated deployment.

Grafana Labs Blog

The CNCF Project Release Guidelines initiative establishes standardized best practices for project releases across versioning, branching, artifacts, security, and governance, enabling projects to understand maturity signals and evolve their release processes from early stages through graduation. The guidelines are exemplified by mature projects like Kubernetes and Helm, providing a reference model for implementation.

CNCF Youtube

Datadog released a Code Security MCP that integrates vulnerability scanning for AI-generated code, secrets detection, and dependency risk assessment directly into development workflows. This enables real-time security scanning at the point of code generation rather than post-deployment.

Datadog Blog

Apply detection-based threat modeling to GitHub CI/CD by mapping critical inputs, identities, and their associated attack vectors to identify and mitigate security risks in your pipeline. This approach enables proactive threat identification rather than reactive patching.

Datadog Blog