Skip to main content

Grafana CVE-2026-28378

| EUVDEUVD-2026-42109 LOW
Improper Access Control (CWE-284)
2026-07-07 GRAFANA GHSA-x94r-qqxh-wpj5
2.7
CVSS 3.1 · NVD

Severity by source

Vendor (GRAFANA) PRIMARY
LOW
qualitative
NVD
2.7 LOW
AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
3.1 LOW

Requires authenticated Org Admin role (PR:L) and knowledge of cross-org dashboard identifiers (AC:H); impact is limited to cross-tenant deletion (I:L) with no confidentiality or availability effect.

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GRAFANA).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
CVSS changed
Jul 10, 2026 - 16:07 NVD
3.1 (LOW) 2.7 (LOW)
Analysis Generated
Jul 07, 2026 - 22:08 vuln.today

DescriptionNVD

The public dashboard deletion endpoint does not enforce organization isolation, allowing an Org Admin in one organization to delete public dashboards belonging to a different organization by supplying the target dashboard's identifiers.

AnalysisAI

Cross-organization authorization bypass in Grafana OSS and Enterprise allows an authenticated Org Admin to delete public dashboards owned by a different organization by supplying the target dashboard's identifiers to the deletion endpoint. The missing tenant-isolation check on the delete operation means any Org Admin - regardless of their organizational scope - can reach and destroy dashboards across organizational boundaries. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as Org Admin in any organization
Delivery
Enumerate or obtain target public dashboard UID from another org
Exploit
Craft DELETE request to public dashboard deletion endpoint with target UID
Execution
Endpoint skips org-ownership validation
Impact
Target dashboard deleted across organizational boundary

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold an authenticated Org Admin role (PR:L per CVSS vector) within any organization on the target Grafana instance - this is not an unauthenticated or anonymous attack. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N) scores 3.1, correctly reflecting a network-reachable but authentication-gated and complexity-constrained flaw with limited integrity impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with Org Admin credentials in Organization A enumerates or infers the UID of a public dashboard belonging to Organization B - for example, by observing shared dashboard links or through API enumeration - then issues a DELETE request to the public dashboard deletion endpoint using that UID. Because the endpoint does not validate organizational ownership, the request succeeds and the target dashboard is permanently deleted. …
Remediation Consult the Grafana security advisory at https://grafana.com/security/security-advisories/cve-2026-28378 for the vendor-released patched version - no exact fix version number is confirmed from the available data, so the patch version must be taken directly from the advisory. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-28378 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy