Skip to main content

Grafana OSS CVE-2026-28380

| EUVD-2026-30140 MEDIUM
Missing Authorization (CWE-862)
2026-05-13 GRAFANA GHSA-29p4-5443-x453
Authentication Bypass Grafana Oss
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
SUSE
MEDIUM
qualitative
Red Hat
6.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 08, 2026 - 11:46 vuln.today
Patch available
May 13, 2026 - 21:02 EUVD

DescriptionCVE.org

Any Editor could delete any snapshot, even if they have no access to read or write them.

AnalysisAI

Missing authorization in Grafana OSS's snapshot deletion endpoint allows any authenticated Editor-role user to delete arbitrary snapshots across the platform, regardless of whether they hold read or write access to those snapshots. Affected versions span a wide release range from 9.4.0 through 13.0.1 across multiple major branches (CPE: cpe:2.3:a:grafana:grafana_oss). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with Editor-role credentials
Delivery
Obtain or enumerate target snapshot ID from shared URL or API
Exploit
Send unauthorized DELETE request to /api/snapshots/{key}
Execution
Server skips object-level authorization check
Impact
Target snapshot permanently deleted outside attacker's legitimate scope
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid Grafana session with at minimum an Editor role (confirmed by CVSS PR:L). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N scores 6.5 (Medium), reflecting network-accessible, low-complexity exploitation with a low-privilege prerequisite, yielding high integrity impact but no confidentiality or availability loss. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated Grafana user holding an Editor role enumerates snapshot IDs - discoverable through Grafana's UI, API, or shared links distributed within the organization - belonging to dashboards outside their access scope. The Editor then issues a DELETE request to the Grafana snapshot API targeting one of these foreign snapshot IDs; the server processes the deletion without validating object-level permissions, successfully destroying the snapshot. …
Remediation Upgrade to the appropriate vendor-patched release for your current branch: 11.6.14+security-04, 12.2.8+security-04, 12.3.6+security-04, 12.4.3+security-02, or 13.0.1+security-01, as confirmed by Grafana's security advisory at https://grafana.com/security/security-advisories/cve-2026-28380. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Module for Package Hub 15 SP7 Fixed
SUSE Manager Client Tools 15 Fixed
SUSE Manager Client Tools for SLE 15 Fixed
SUSE Multi-Linux Manager Client Tools for SLE 15 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP4 Fixed

Share

CVE-2026-28380 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy