CVE-2026-28378
Cross-Organization Public Dashboard Deletion via Missing Org Isolation
CVSS Score
3.1
EPSS Score
0.1%
EPSS Percentile
3th
The public dashboard deletion endpoint does not enforce organization isolation, allowing an Org Admin in one organization to delete public dashboards belonging to a different organization by supplying the target dashboard's identifiers.
| Vendor | grafana |
| Product | grafana enterprise |
| Ecosystems | |
| Industries | Technology |
| Published | Jul 7, 2026 |
| Last Updated | Jul 16, 2026 |
Stay Ahead of the Next One
Get instant alerts for grafana grafana enterprise
Be the first to know when new low vulnerabilities affecting grafana grafana enterprise are published — delivered to Slack, Telegram or Discord.
Get Free Alerts →
Free · No credit card · 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
Grafana / Grafana Enterprise
11.6.0 ≤ 11.6.13 12.1.0 ≤ 12.1.9 12.2.0 ≤ 12.2.7 12.3.0 ≤ 12.3.5 12.4.0 ≤ 12.4.1
Grafana / Grafana OSS
11.6.0 ≤ 11.6.13 12.1.0 ≤ 12.1.9 12.2.0 ≤ 12.2.7 12.3.0 ≤ 12.3.5 12.4.0 ≤ 12.4.1
References
Credits
rpgsec (Researcher)