Improper Permission Handling in Grafana Products by Grafana Labs
CVE-2026-28374

4.3MEDIUM

Key Information:

Vendor: Grafana
Status: Grafana Oss
Vendor: CVE Published:; 13 May 2026

What is CVE-2026-28374?

A vulnerability exists in Grafana that allows an editor user to delete any annotation, circumventing access controls. This can lead to unauthorized alterations and deletion of important data by users who shouldn't have the ability to interact with certain annotations, exposing the system to threats related to data integrity and security.

Affected Version(s)

Grafana OSS OnPrem 8.5.0 <= 11.6.14

Grafana OSS OnPrem 11.6.14 < 11.6.14+security-04

Grafana OSS OnPrem 12.0.0 <= 12.2.8

References

https://grafana.com/security/security-advisories/cve-2026...

vendor-advisory

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 13, 2026
Vulnerability Reserved
Feb 27, 2026

CVE-2026-28374 Data

JSON