CVE-2026-28378

The public dashboard deletion endpoint does not enforce organization isolation, allowing an Org Admin in one organization to delete public dashboards belonging to a different organization by supplying the target dashboard's identifiers.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
GRAFANACNA
3.1 LOW
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
grafanagrafana
11.6.0 ≤
𝑥
≤ 11.6.13
CNA
grafanagrafana
12.1.0 ≤
𝑥
≤ 12.1.9
CNA
grafanagrafana
12.2.0 ≤
𝑥
≤ 12.2.7
CNA
grafanagrafana
12.3.0 ≤
𝑥
≤ 12.3.5
CNA
grafanagrafana
12.4.0 ≤
𝑥
≤ 12.4.1
CNA