Insecure Deletion Flaw in Grafana by Grafana Labs
CVE-2026-28378

3.1LOW

Key Information:

Vendor

Grafana

Vendor
CVE Published:
7 July 2026

What is CVE-2026-28378?

An insecure deletion flaw exists in Grafana, where the public dashboard deletion endpoint fails to enforce proper organization isolation. As a result, an Org Admin from one organization can inadvertently or maliciously delete public dashboards associated with different organizations simply by providing the relevant dashboard identifiers. This security oversight poses significant risks to data integrity and access control within shared environments.

Affected Version(s)

Grafana Enterprise 11.6.0 <= 11.6.13

Grafana Enterprise 12.1.0 <= 12.1.9

Grafana Enterprise 12.2.0 <= 12.2.7

References

CVSS V3.1

Score:
3.1
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

rpgsec (Researcher)
.