CVE Field Guide
About Us
CVE-2026-28380
PUBLISHED
BAC in Snapshot API allows deletion of unauthorized dashboard snapshots
Assigner:
GRAFANA
Reserved:
27.02.2026
Published:
13.05.2026
Updated:
13.05.2026
Any Editor could delete any snapshot, even if they have no access to read or write them.
Metrics
CVSS 3.1
CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
CVSS Score:
6.5
CVSS score
6.5
Attack Vector
Network
Scope
Unchanged
Attack Complexity
Low
Confidentiality Impact
None
Privileges Required
Low
Integrity Impact
High
User Interaction
None
Availability Impact
None
CVSS 3.1
Product Status
Vendor
Grafana
Product
Grafana OSS
Versions
Default:
unaffected
affected from 9.4.0 to 11.6.14 (incl.)
affected from 11.6.14 to 11.6.14+security-04 (excl.)
affected from 12.0.0 to 12.2.8 (incl.)
affected from 12.2.8 to 12.2.8+security-04 (excl.)
affected from 12.3.0 to 12.3.6 (incl.)
affected from 12.3.6 to 12.3.6+security-04 (excl.)
affected from 12.4.0 to 12.4.3 (incl.)
affected from 12.4.3 to 12.4.3+security-02 (excl.)
affected from 13.0.0 to 13.0.1 (incl.)
affected from 13.0.1 to 13.0.1+security-01 (excl.)
References
https://grafana.com/security/security-advisories/cve-2026-28380