CVE-2026-28378 PUBLISHED

Cross-Organization Public Dashboard Deletion via Missing Org Isolation

Assigner: GRAFANA
Reserved: 27.02.2026 Published: 07.07.2026 Updated: 08.07.2026

The public dashboard deletion endpoint does not enforce organization isolation, allowing an Org Admin in one organization to delete public dashboards belonging to a different organization by supplying the target dashboard's identifiers.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
CVSS Score: 3.1

Product Status

Vendor Grafana
Product Grafana Enterprise
Versions Default: unaffected
  • affected from 11.6.0 to 11.6.13 (incl.)
  • affected from 12.1.0 to 12.1.9 (incl.)
  • affected from 12.2.0 to 12.2.7 (incl.)
  • affected from 12.3.0 to 12.3.5 (incl.)
  • affected from 12.4.0 to 12.4.1 (incl.)
Vendor Grafana
Product Grafana OSS
Versions Default: unaffected
  • affected from 11.6.0 to 11.6.13 (incl.)
  • affected from 12.1.0 to 12.1.9 (incl.)
  • affected from 12.2.0 to 12.2.7 (incl.)
  • affected from 12.3.0 to 12.3.5 (incl.)
  • affected from 12.4.0 to 12.4.1 (incl.)

Credits

  • rpgsec (Researcher) finder

References