Skip to main content

Grafana Enterprise

2 CVEs product

Monthly

CVE-2026-28378 LOW Monitor

Cross-organization authorization bypass in Grafana OSS and Enterprise allows an authenticated Org Admin to delete public dashboards owned by a different organization by supplying the target dashboard's identifiers to the deletion endpoint. The missing tenant-isolation check on the delete operation means any Org Admin - regardless of their organizational scope - can reach and destroy dashboards across organizational boundaries. No public exploit has been identified at time of analysis, and the low CVSS score of 3.1 reflects the constrained impact and prerequisite of an existing Org Admin credential.

Grafana Enterprise Grafana Oss Authentication Bypass
NVD VulDB
CVSS 3.1
2.7
EPSS
0.1%
CVE-2026-27876 CRITICAL PATCH Act Now

Remote code execution is achievable in Grafana installations through a chained attack combining SQL Expressions with a Grafana Enterprise plugin, affecting both open-source and Enterprise deployments. The vulnerability requires high-privilege authenticated access (PR:H) but enables cross-scope impact with complete system compromise once exploited. Only instances with the sqlExpressions feature toggle enabled are vulnerable, though Grafana recommends all users update to prevent future exploitation paths using this attack vector. No public exploit identified at time of analysis, and authentication as a high-privilege user is required per CVSS vector.

Grafana RCE Code Injection Grafana Enterprise
NVD VulDB
CVSS 3.1
9.1
EPSS
0.1%
EPSS 0% CVSS 2.7
LOW Monitor

Cross-organization authorization bypass in Grafana OSS and Enterprise allows an authenticated Org Admin to delete public dashboards owned by a different organization by supplying the target dashboard's identifiers to the deletion endpoint. The missing tenant-isolation check on the delete operation means any Org Admin - regardless of their organizational scope - can reach and destroy dashboards across organizational boundaries. No public exploit has been identified at time of analysis, and the low CVSS score of 3.1 reflects the constrained impact and prerequisite of an existing Org Admin credential.

Grafana Enterprise Grafana Oss Authentication Bypass
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Remote code execution is achievable in Grafana installations through a chained attack combining SQL Expressions with a Grafana Enterprise plugin, affecting both open-source and Enterprise deployments. The vulnerability requires high-privilege authenticated access (PR:H) but enables cross-scope impact with complete system compromise once exploited. Only instances with the sqlExpressions feature toggle enabled are vulnerable, though Grafana recommends all users update to prevent future exploitation paths using this attack vector. No public exploit identified at time of analysis, and authentication as a high-privilege user is required per CVSS vector.

Grafana RCE Code Injection +1
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy