How is CVE-2026-28381 exploited?

Network reachability (required): The attacker must reach the Grafana service over the network to submit queries against the Snowflake datasource (AV:N). Authentication (required): A valid Grafana account with datasource query access is needed, but any low-privilege user account is sufficient (PR:L). Victim interaction (not-required): No victim action is needed; the attacker submits the malicious GET or PUT command directly without relying on another user (UI:N). Attack complexity (info): The exploit is reliable and requires no special race conditions or environmental prerequisites; the attack succeeds consistently once the attacker has query access (AC:L).

What is the impact of CVE-2026-28381?

Reads arbitrary files from the Grafana server filesystem, including configuration files, secrets, and credentials stored on disk. Writes attacker-controlled files to the Grafana server filesystem, enabling placement of webshells, backdoors, or overwriting of existing binaries and config files. File write access creates a concrete path to escalating privileges on the underlying host beyond the Grafana process boundary.

Back to search

CRITICALCVE-2026-28381Published 2026-06-22Modified 2026-06-22CNA GRAFANA

CVE-2026-28381: Local File Read/Write to Potential Privilege Escalation via Snowflake GET/PUT

The Snowflake datasource allows for GET/PUT commands, which can allow any user with access to run queries against the data source to read/write files between the local grafana server and the connected Snowflake host.

CVSS v3.1: 9.6
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An authorization control bypass in the Grafana Snowflake datasource plugin (versions up to and including 1.14.12) allows any user who can run queries against the datasource to issue Snowflake GET and PUT commands. These commands reach the local Grafana server filesystem over the network, requiring only a low-privilege account. Successful exploitation lets an attacker read arbitrary files from the Grafana server or write files to it, which opens a path to privilege escalation on the host. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.

HarborGuard Coverage

Detection

Detection for CVE-2026-28381 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle the Grafana Snowflake datasource plugin. Any image running an affected version (Snowflake Datasource 1.14.12 or earlier) will surface in scan results automatically.

Available

Triage

HarborGuard scores this CVE at CVSS 9.6 (Critical) and weights it against each customer environment's compliance policy to determine urgency and routing. Findings are dispatched to the appropriate team inbox within each customer organization based on configured severity thresholds and ownership rules.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment the upstream maintainer ships a corrected release. For customers with auto-remediation enabled, a rebuild, regression test run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the Grafana service over the network to submit queries against the Snowflake datasource (AV:N).
AuthenticationRequired
A valid Grafana account with datasource query access is needed, but any low-privilege user account is sufficient (PR:L).
Victim interactionNot required
No victim action is needed; the attacker submits the malicious GET or PUT command directly without relying on another user (UI:N).
Attack complexityDetail
The exploit is reliable and requires no special race conditions or environmental prerequisites; the attack succeeds consistently once the attacker has query access (AC:L).

Blast Radius

Reads arbitrary files from the Grafana server filesystem, including configuration files, secrets, and credentials stored on disk.
Writes attacker-controlled files to the Grafana server filesystem, enabling placement of webshells, backdoors, or overwriting of existing binaries and config files.
File write access creates a concrete path to escalating privileges on the underlying host beyond the Grafana process boundary.

How HarborGuard Handles This

Available on HarborGuard: any image containing the Grafana Snowflake datasource plugin at version 1.14.12 or earlier is flagged as Critical on ingestion, with no upstream patch currently available. HarborGuard re-evaluates the advisory every ingest cycle and will initiate a patched-image rebuild automatically the moment the Grafana project publishes a fixed release. For customers with auto-remediation enabled, that flow includes a regression test run and a PR opened against affected workloads. In the interim, compensating controls worth considering include applying a network policy to restrict which identities can query the Snowflake datasource within Grafana, auditing datasource permissions to ensure only trusted users hold query access, and enabling egress filtering on the Grafana host to limit outbound Snowflake GET or PUT traffic to approved destinations. These controls reduce exposure but do not eliminate the underlying vulnerability.

See how HarborGuard automates this

Affected packages

Grafana / Snowflake Datasource
≤ 1.14.12

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

References

grafana.com

Metrics

Get notified