Skip to main content

Grafana OSS CVE-2026-28374

| EUVD-2026-30137 MEDIUM
Improper Access Control (CWE-284)
2026-05-13 GRAFANA GHSA-8mrj-8pc8-39jm
Authentication Bypass Grafana Oss
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
SUSE
MEDIUM
qualitative
Red Hat
4.3 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 08, 2026 - 12:47 vuln.today
Patch available
May 13, 2026 - 21:02 EUVD

DescriptionCVE.org

Editors could delete any annotation, even those they do not have read access to. The editor user cannot create or read the annotations.

AnalysisAI

Improper access control in Grafana OSS allows authenticated Editor-role users to delete any annotation instance-wide, regardless of whether they hold read or create permissions on that annotation. The flaw affects a broad version range from 8.5.0 through 13.0.1, exposing organizations to unauthorized data destruction by low-privileged internal users. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to Grafana as Editor-role user
Delivery
Enumerate or guess annotation IDs via API or network observation
Exploit
Craft DELETE request targeting out-of-scope annotation ID
Execution
Backend skips read-access check
Impact
Annotation permanently deleted without authorization
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated Grafana account with the Editor role assigned - confirmed by the CVSS vector PR:L (low privilege required). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS base score of 4.3 (Medium) reflects a network-exploitable, low-complexity, low-privilege-required vector with partial integrity impact and no confidentiality or availability impact - an appropriate calibration. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated Grafana user holding the Editor role enumerates annotation IDs by probing the Grafana API or observing network traffic within their accessible dashboards, then issues DELETE requests against annotation IDs belonging to restricted dashboards or data sources to which they have no read access. The backend processes the deletion without verifying read permissions, permanently removing the targeted annotations. …
Remediation Upgrade Grafana OSS to the appropriate security-patched release: 11.6.14+security-04 for the 8.5-11.6.x line, 12.2.8+security-04 for the 12.0-12.2.x line, 12.3.6+security-04 for the 12.3.x line, 12.4.3+security-02 for the 12.4.x line, or 13.0.1+security-01 for the 13.0.x line. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Module for Package Hub 15 SP7 Fixed
SUSE Manager Client Tools 15 Fixed
SUSE Manager Client Tools for SLE 15 Fixed
SUSE Multi-Linux Manager Client Tools for SLE 15 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP4 Fixed

Share

CVE-2026-28374 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy