Grafana security release: Critical and high severity security fixes for CVE-2026-27876 and CVE-2026-27880

Grafana Labs has released version 12.4.2 along with patches for older versions, addressing critical and high-severity security vulnerabilities identified as CVE-2026-27876 and CVE-2026-27880. CVE-2026-27876, with a CVSS score of 9.1, involves the SQL expressions feature that can allow remote code execution if certain conditions are met, while CVE-2026-27880, with a CVSS score of 7.5, involves a denial-of-service vulnerability due to unbounded user input at the OpenFeature endpoint. Users are strongly advised to upgrade to the patched versions to mitigate these risks, but temporary workarounds are available. Grafana Labs coordinated with cloud providers like Amazon and Azure for early patching, and private releases were issued to customers under embargo before the public disclosure. The discoveries were made through a combination of internal and external sources, with acknowledgments given to contributors, and users are encouraged to report any further security issues through Grafana's established channels.