Insecure Deletion Flaw in Grafana by Grafana Labs
CVE-2026-28378
3.1LOW
What is CVE-2026-28378?
An insecure deletion flaw exists in Grafana, where the public dashboard deletion endpoint fails to enforce proper organization isolation. As a result, an Org Admin from one organization can inadvertently or maliciously delete public dashboards associated with different organizations simply by providing the relevant dashboard identifiers. This security oversight poses significant risks to data integrity and access control within shared environments.
Affected Version(s)
Grafana Enterprise 11.6.0 <= 11.6.13
Grafana Enterprise 12.1.0 <= 12.1.9
Grafana Enterprise 12.2.0 <= 12.2.7