=== CVE-2026-27876 Grafana SQL Expressions RCE - Variant/Bypass Analysis === Vulnerability: Arbitrary file write via SQL INTO clause Target: Grafana SQL Expressions feature Starting variant analysis... === Testing Vulnerable Version === ========================================= Testing vulnerable (Grafana 11.6.0) ========================================= [1/5] Starting Grafana 11.6.0 with sqlExpressions enabled... b4e4f5e32e93850bb31bf15a6cf4da531d3530323abd48a839351f0232e076c3 [2/5] Waiting for Grafana to start... Waiting... (10/60) Waiting... (20/60) Waiting... (30/60) Waiting... (40/60) Waiting... (50/60) Waiting... (60/60) ERROR: Grafana failed to start logger=grafana.update.checker t=2026-04-01T08:15:50.895629176Z level=info msg="Update check succeeded" duration=188.2132ms logger=plugin.angulardetectorsprovider.dynamic t=2026-04-01T08:15:50.900686291Z level=info msg="Patterns update finished" duration=173.706235ms logger=grafana-apiserver t=2026-04-01T08:15:50.946263779Z level=info msg="Adding GroupVersion playlist.grafana.app v0alpha1 to ResourceManager" logger=grafana-apiserver t=2026-04-01T08:15:50.947103285Z level=info msg="Adding GroupVersion dashboard.grafana.app v0alpha1 to ResourceManager" logger=grafana-apiserver t=2026-04-01T08:15:50.947456245Z level=info msg="Adding GroupVersion dashboard.grafana.app v1alpha1 to ResourceManager" logger=grafana-apiserver t=2026-04-01T08:15:50.94777608Z level=info msg="Adding GroupVersion dashboard.grafana.app v2alpha1 to ResourceManager" logger=grafana-apiserver t=2026-04-01T08:15:50.94803879Z level=info msg="Adding GroupVersion featuretoggle.grafana.app v0alpha1 to ResourceManager" logger=grafana-apiserver t=2026-04-01T08:15:50.948689711Z level=info msg="Adding GroupVersion iam.grafana.app v0alpha1 to ResourceManager" logger=grafana-apiserver t=2026-04-01T08:15:50.949467049Z level=info msg="Adding GroupVersion notifications.alerting.grafana.app v0alpha1 to ResourceManager" logger=grafana-apiserver t=2026-04-01T08:15:50.949789009Z level=info msg="Adding GroupVersion userstorage.grafana.app v0alpha1 to ResourceManager" logger=app-registry t=2026-04-01T08:15:50.970947015Z level=info msg="app registry initialized" logger=plugin.installer t=2026-04-01T08:15:52.067166758Z level=info msg="Installing plugin" pluginId=grafana-lokiexplore-app version= logger=installer.fs t=2026-04-01T08:15:52.172920492Z level=info msg="Downloaded and extracted grafana-lokiexplore-app v1.0.39 zip successfully to /var/lib/grafana/plugins/grafana-lokiexplore-app" logger=plugins.registration t=2026-04-01T08:15:52.195079795Z level=info msg="Plugin registered" pluginId=grafana-lokiexplore-app logger=plugin.backgroundinstaller t=2026-04-01T08:15:52.195111337Z level=info msg="Plugin successfully installed" pluginId=grafana-lokiexplore-app version= duration=1.487731402s logger=plugin.backgroundinstaller t=2026-04-01T08:15:52.19513167Z level=info msg="Installing plugin" pluginId=grafana-pyroscope-app version= logger=plugin.installer t=2026-04-01T08:15:52.991579903Z level=info msg="Installing plugin" pluginId=grafana-pyroscope-app version= logger=installer.fs t=2026-04-01T08:15:53.039278572Z level=info msg="Downloaded and extracted grafana-pyroscope-app v1.17.0 zip successfully to /var/lib/grafana/plugins/grafana-pyroscope-app" logger=plugins.registration t=2026-04-01T08:15:53.050075138Z level=info msg="Plugin registered" pluginId=grafana-pyroscope-app logger=plugin.backgroundinstaller t=2026-04-01T08:15:53.050098263Z level=info msg="Plugin successfully installed" pluginId=grafana-pyroscope-app version= duration=854.963426ms grafana-variant-test WARNING: Could not test vulnerable version === Testing Fixed Version === ========================================= Testing fixed (Grafana 11.6.14) ========================================= [1/5] Starting Grafana 11.6.14 with sqlExpressions enabled... 693a41a87d443596fbaf2a41ec0d9ccdd49100a5c98bd7a4597a9ee150eb517f [2/5] Waiting for Grafana to start... Waiting... (10/60) Waiting... (20/60) Waiting... (30/60) Waiting... (40/60) Waiting... (50/60) Waiting... (60/60) ERROR: Grafana failed to start logger=provisioning.dashboard t=2026-04-01T08:16:50.608092473Z level=info msg="starting to provision dashboards" logger=provisioning.dashboard t=2026-04-01T08:16:50.60810264Z level=info msg="finished to provision dashboards" logger=ticker t=2026-04-01T08:16:50.60810264Z level=info msg=starting first_tick=2026-04-01T08:17:00Z logger=grafana-apiserver t=2026-04-01T08:16:50.655370033Z level=info msg="Adding GroupVersion userstorage.grafana.app v0alpha1 to ResourceManager" logger=grafana-apiserver t=2026-04-01T08:16:50.655710624Z level=info msg="Adding GroupVersion playlist.grafana.app v0alpha1 to ResourceManager" logger=grafana-apiserver t=2026-04-01T08:16:50.655915004Z level=info msg="Adding GroupVersion featuretoggle.grafana.app v0alpha1 to ResourceManager" logger=grafana-apiserver t=2026-04-01T08:16:50.656546061Z level=info msg="Adding GroupVersion iam.grafana.app v0alpha1 to ResourceManager" logger=grafana-apiserver t=2026-04-01T08:16:50.657243911Z level=info msg="Adding GroupVersion notifications.alerting.grafana.app v0alpha1 to ResourceManager" logger=plugin.angulardetectorsprovider.dynamic t=2026-04-01T08:16:50.66306901Z level=info msg="Patterns update finished" duration=77.034945ms logger=app-registry t=2026-04-01T08:16:50.6719331Z level=info msg="app registry initialized" logger=plugin.installer t=2026-04-01T08:16:51.200813199Z level=info msg="Installing plugin" pluginId=grafana-pyroscope-app version= logger=installer.fs t=2026-04-01T08:16:51.260246985Z level=info msg="Downloaded and extracted grafana-pyroscope-app v2.0.1 zip successfully to /var/lib/grafana/plugins/grafana-pyroscope-app" logger=plugins.registration t=2026-04-01T08:16:51.274955991Z level=info msg="Plugin registered" pluginId=grafana-pyroscope-app logger=plugin.backgroundinstaller t=2026-04-01T08:16:51.274976158Z level=info msg="Plugin successfully installed" pluginId=grafana-pyroscope-app version= duration=779.234567ms logger=plugin.backgroundinstaller t=2026-04-01T08:16:51.274989117Z level=info msg="Installing plugin" pluginId=grafana-lokiexplore-app version= logger=plugin.installer t=2026-04-01T08:16:51.619254383Z level=info msg="Installing plugin" pluginId=grafana-lokiexplore-app version= logger=installer.fs t=2026-04-01T08:16:51.713859188Z level=info msg="Downloaded and extracted grafana-lokiexplore-app v2.0.1 zip successfully to /var/lib/grafana/plugins/grafana-lokiexplore-app" logger=plugins.registration t=2026-04-01T08:16:51.730398611Z level=info msg="Plugin registered" pluginId=grafana-lokiexplore-app logger=plugin.backgroundinstaller t=2026-04-01T08:16:51.730414361Z level=info msg="Plugin successfully installed" pluginId=grafana-lokiexplore-app version= duration=455.423328ms logger=infra.usagestats t=2026-04-01T08:17:58.502307099Z level=info msg="Usage stats are ready to report" grafana-variant-test WARNING: Could not test fixed version === Variant Analysis Complete === Results saved to: - /data/pruva/runs/89906abc-b6a9-4add-bf21-2cf03f0bc69e/artifacts/ - /data/pruva/runs/89906abc-b6a9-4add-bf21-2cf03f0bc69e/logs/ === Summary === WARNING: INTO clauses may not be properly blocked in fixed version. This could indicate a potential bypass variant.