CVE-2026-28374 PUBLISHED

IDOR in Annotations API allows unprivileged users to DELETE annotation

Assigner: GRAFANA
Reserved: 27.02.2026 Published: 13.05.2026 Updated: 13.05.2026

Editors could delete any annotation, even those they do not have read access to. The editor user cannot create or read the annotations.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CVSS Score: 4.3

Product Status

Vendor Grafana
Product Grafana OSS
Versions Default: unaffected
  • affected from 8.5.0 to 11.6.14 (incl.)
  • affected from 11.6.14 to 11.6.14+security-04 (excl.)
  • affected from 12.0.0 to 12.2.8 (incl.)
  • affected from 12.2.8 to 12.2.8+security-04 (excl.)
  • affected from 12.3.0 to 12.3.6 (incl.)
  • affected from 12.3.6 to 12.3.6+security-04 (excl.)
  • affected from 12.4.0 to 12.4.3 (incl.)
  • affected from 12.4.3 to 12.4.3+security-02 (excl.)
  • affected from 13.0.0 to 13.0.1 (incl.)
  • affected from 13.0.1 to 13.0.1+security-01 (excl.)

References