GHSA-q99m-qcv4-fpm7
CRITICALGrafana Command Injection And Local File Inclusion Via Sql Expressions
EPSS Exploitation Probability
EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.
Blast Radius
github.com/grafana/grafana🐹github.com/grafana/grafana🐹github.com/grafana/grafanaReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects Go packages — download data is not available via public APIs for these ecosystems.
Description
The SQL Expressions experimental feature of Grafana allows for the evaluation of duckdb queries containing user input. These queries are insufficiently sanitized before being passed to duckdb, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable of executing this attack. The duckdb binary must be present in Grafana's $PATH for this attack to function; by default, this binary is not installed in Grafana distributions.
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🐹Go | github.com/grafana/grafana | ≥ 11.0.0&&< 11.0.6+security-01 | 11.0.6+security-01 |
| 🐹Go | github.com/grafana/grafana | ≥ 11.1.0&&< 11.1.7+security-01 | 11.1.7+security-01 |
| 🐹Go | github.com/grafana/grafana | ≥ 11.2.0&&< 11.2.2+security-01 | 11.2.2+security-01 |
Research use only. For defensive security, authorized penetration testing, and academic research only. Never execute exploit code against systems without explicit written authorization.
Frequently Asked Questions
Is GHSA-q99m-qcv4-fpm7 in your stack?
O3 detects GHSA-q99m-qcv4-fpm7 across Go dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.