The Snowflake datasource allows for GET/PUT commands, which can allow any user with access to run queries against the data source to read/write files between the local grafana server and the connected Snowflake host.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:NGrafana Snowflake
APPGrafana1.14.7 – 1.14.12
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
Related vulnerabilities
CVE-2021-39226CRITICAL9.8⚠ KEVten sam vendor
Grafana is an open source data visualization platform. In affected versions unauthenticated and authenticated ...
CVE-2025-41118CRITICAL9.1PL ✓ten sam vendor
Grafana Pyroscope: ujawnienie klucza sekretnego Tencent COS przez API
CVE-2026-27876CRITICAL9.1PL ✓ten sam vendor
RCE w Grafana przez SQL Expressions i plugin Enterprise (CVE-2026-27876)
CVE-2025-41115CRITICAL10.0PL ✓ten sam vendor
Grafana Enterprise: privilege escalation przez SCIM provisioning (LPE)
CVE-2024-9264CRITICAL9.4PL ✓ten sam vendor
Grafana: command injection i local file inclusion przez SQL Expressions (duckdb)