CVE-2026-28378
3.1
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
Summary
The public dashboard deletion endpoint does not enforce organization isolation, allowing an Org Admin in one organization to delete public dashboards belonging to a different organization by supplying the target dashboard's identifiers.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Grafana | Grafana Enterprise | 11.6.0 <= 11.6.13 | affected |
| Grafana | Grafana Enterprise | 12.1.0 <= 12.1.9 | affected |
| Grafana | Grafana Enterprise | 12.2.0 <= 12.2.7 | affected |
| Grafana | Grafana Enterprise | 12.3.0 <= 12.3.5 | affected |
| Grafana | Grafana Enterprise | 12.4.0 <= 12.4.1 | affected |
| Grafana | Grafana OSS | 11.6.0 <= 11.6.13 | affected |
| Grafana | Grafana OSS | 12.1.0 <= 12.1.9 | affected |
| Grafana | Grafana OSS | 12.2.0 <= 12.2.7 | affected |
| Grafana | Grafana OSS | 12.3.0 <= 12.3.5 | affected |
| Grafana | Grafana OSS | 12.4.0 <= 12.4.1 | affected |
Weaknesses
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.