{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-28381","assignerOrgId":"57da9224-a3e2-4646-9d0e-c4dc2e05e7da","state":"PUBLISHED","assignerShortName":"GRAFANA","dateReserved":"2026-02-27T07:16:12.218Z","datePublished":"2026-06-22T13:20:29.440Z","dateUpdated":"2026-06-22T15:43:15.085Z"},"containers":{"cna":{"providerMetadata":{"orgId":"57da9224-a3e2-4646-9d0e-c4dc2e05e7da","shortName":"GRAFANA","dateUpdated":"2026-06-22T13:20:29.440Z"},"datePublic":"2026-05-15T17:00:39.039Z","title":"Local File Read/Write to Potential Privilege Escalation via Snowflake GET/PUT","descriptions":[{"lang":"en","value":"The Snowflake datasource allows for GET/PUT commands, which can allow any user with access to run queries against the data source to read/write files between the local grafana server and the connected Snowflake host."}],"affected":[{"vendor":"Grafana","product":"Snowflake Datasource","defaultStatus":"unaffected","versions":[{"version":"1.14.7","status":"affected","versionType":"semver","lessThanOrEqual":"1.14.12"}]}],"references":[{"url":"https://grafana.com/security/security-advisories/cve-2026-28381","tags":["vendor-advisory"]}],"metrics":[{"cvssV3_1":{"version":"3.1","baseScore":9.6,"baseSeverity":"CRITICAL","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N"}}],"credits":[{"lang":"en","value":"stargravy (Researcher)","type":"finder"}],"source":{"discovery":"BUG_BOUNTY"},"x_generator":{"engine":"cvelib 1.8.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-06-22T15:43:02.758856Z","id":"CVE-2026-28381","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-06-22T15:43:15.085Z"}}]}}