CVE-2026-28378

Summary

The public dashboard deletion endpoint does not enforce organization isolation, allowing an Org Admin in one organization to delete public dashboards belonging to a different organization by supplying the target dashboard's identifiers.

Affected Software

VendorProductVersion RangeStatus
GrafanaGrafana Enterprise11.6.0 <= 11.6.13affected
GrafanaGrafana Enterprise12.1.0 <= 12.1.9affected
GrafanaGrafana Enterprise12.2.0 <= 12.2.7affected
GrafanaGrafana Enterprise12.3.0 <= 12.3.5affected
GrafanaGrafana Enterprise12.4.0 <= 12.4.1affected
GrafanaGrafana OSS11.6.0 <= 11.6.13affected
GrafanaGrafana OSS12.1.0 <= 12.1.9affected
GrafanaGrafana OSS12.2.0 <= 12.2.7affected
GrafanaGrafana OSS12.3.0 <= 12.3.5affected
GrafanaGrafana OSS12.4.0 <= 12.4.1affected

Weaknesses

References