🔐 CVE Alert

CVE-2026-28378

LOW 3.1

Cross-Organization Public Dashboard Deletion via Missing Org Isolation

CVSS Score
3.1
EPSS Score
0.1%
EPSS Percentile
3th

The public dashboard deletion endpoint does not enforce organization isolation, allowing an Org Admin in one organization to delete public dashboards belonging to a different organization by supplying the target dashboard's identifiers.

Vendor grafana
Product grafana enterprise
Ecosystems
Industries
Technology
Published Jul 7, 2026
Last Updated Jul 16, 2026
Stay Ahead of the Next One

Get instant alerts for grafana grafana enterprise

Be the first to know when new low vulnerabilities affecting grafana grafana enterprise are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability

Affected Versions

Grafana / Grafana Enterprise
11.6.0 ≤ 11.6.13 12.1.0 ≤ 12.1.9 12.2.0 ≤ 12.2.7 12.3.0 ≤ 12.3.5 12.4.0 ≤ 12.4.1
Grafana / Grafana OSS
11.6.0 ≤ 11.6.13 12.1.0 ≤ 12.1.9 12.2.0 ≤ 12.2.7 12.3.0 ≤ 12.3.5 12.4.0 ≤ 12.4.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗
grafana.com: https://grafana.com/security/security-advisories/cve-2026-28378

Credits

rpgsec (Researcher)