Grafana Labs recently addressed a critical security vulnerability, CVE-2024-9264, affecting Grafana versions 11.0.x to 11.2.x, which allowed for command injection and local file inclusion through SQL Expressions, an experimental feature that was unintentionally enabled by default. This vulnerability, with a CVSS score of 9.9, could potentially allow users with Viewer permissions or higher to access any file on the host machine, including unencrypted passwords, provided the DuckDB binary was accessible in the system's PATH. The issue, discovered internally in September 2024, prompted Grafana to release patched versions, remove the SQL Expressions feature, and ensure the security of their cloud offerings. Users are advised to upgrade to the patched versions or remove the DuckDB binary to mitigate the risk. Grafana Labs also emphasizes responsible disclosure of security issues and provides a platform for reporting vulnerabilities.