Human
Machine
REPRO-2026-00125 CRITICAL RCE
Verified
Grafana SQL Expressions RCE
Apr 1, 2026
What's the vulnerability?
Grafana v11.6.0+ SQL Expressions feature allows authenticated users (Viewer+) to write arbitrary files via malicious SQL queries. Chain: 1) Login, 2) Craft SQL Expression query, 3) Overwrite Sqlyze driver binary (<v1.5.0) or AWS config, 4) RCE. Prerequisites: sqlExpressions feature toggle enabled, vulnerable plugin.
Root Cause Analysis
Variant Analysis
Bypass and alternate trigger exploration (if present).
One Command
Verify with pruva-verify
Run the Pruva CLI to automatically fetch and execute the reproduction script.
pruva-verify REPRO-2026-00125 or
pruva-verify CVE-2026-27876 Install:
curl -fsSL https://pruva.dev/install.sh | sh Or Run Manually
1
Download the script
curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00125/artifacts/repro/reproduction_steps.sh 2
Make executable
chmod +x reproduction_steps.sh 3
Run the script
./reproduction_steps.sh Run in a VM, container, or disposable environment. This exploits a real vulnerability.
How Pruva Reproduced This
Watch the AI agent's step-by-step process.
Loading session...
Artifacts
repro/rca_report.md5.7 KBrepro/reproduction_steps.sh10.0 KBvuln_variant/rca_report.md7.9 KBvuln_variant/reproduction_steps.sh10.1 KBbundle/AGENTS.repro.md0.7 KBbundle/ticket.json0.8 KBbundle/ticket.md0.5 KBrepro/runtime_manifest.json0.8 KBrepro/test_exploit.sh2.7 KBrepro/validation_verdict.json0.7 KBlogs/docker_start.log0.1 KBlogs/docker_start_fixed.log0.1 KBlogs/docker_start_vulnerable.log0.1 KBlogs/grafana_error.log2.9 KBlogs/grafana_error_fixed.log2.7 KBlogs/grafana_error_vulnerable.log2.9 KBlogs/grafana_logs.log0.4 KBlogs/variant_analysis.log2.9 KBlogs/variant_analysis2.log7.2 KBvuln_variant/patch_analysis.md4.9 KBvuln_variant/runtime_manifest.json0.8 KBvuln_variant/source_identity.json0.6 KBvuln_variant/validation_verdict.json2.3 KBvuln_variant/variant_manifest.json2.5 KB