Grafana instances with the sqlExpressions feature enabled are at critical risk of Remote Code Execution (RCE) through a chained vulnerability in Enterprise plugins.

This is a chained vulnerability where the "sqlExpressions" feature toggle in Grafana OSS interacts with a Grafana Enterprise plugin to allow Remote Code Execution. An attacker can exploit this chain to execute arbitrary code on the host system.

The CVSS score of 9.1 indicates a critical risk to the organization. Successful exploitation allows an attacker to gain full control over the Grafana server, potentially leading to lateral movement within the network, data exfiltration, and complete compromise of the monitoring infrastructure. This could result in prolonged service outages and significant security remediation costs.

Immediate Action: Update Grafana and all Enterprise plugins to the latest versions immediately. If patching is not possible, disable the sqlExpressions feature toggle in the Grafana configuration.

Proactive Monitoring: Monitor system logs for unauthorized shell execution or unexpected network connections originating from the Grafana server.

Compensating Controls: Restrict access to the Grafana web interface to authorized internal users only and ensure the service is running with the least privilege necessary.

Public Exploit Available: false

Due to the potential for Remote Code Execution, this vulnerability must be addressed with the highest urgency. Administrators should prioritize upgrading their Grafana environment and verifying that the sqlExpressions feature is only enabled if absolutely necessary and properly secured.