Grafana Public Dashboard Deletion Endpoint Org Isolation Bypass
CVE-2026-28378 Published on July 7, 2026
Cross-Organization Public Dashboard Deletion via Missing Org Isolation
The public dashboard deletion endpoint does not enforce organization isolation, allowing an Org Admin in one organization to delete public dashboards belonging to a different organization by supplying the target dashboard's identifiers.
Weakness Type
What is an Authorization Vulnerability?
The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CVE-2026-28378 has been classified to as an Authorization vulnerability or weakness.
Products Associated with CVE-2026-28378
Want to know whenever a new CVE is published for Grafana Labs Grafana? stack.watch will email you.
Affected Versions
Grafana Enterprise:- Version 11.6.0, <= 11.6.13 is affected.
- Version 12.1.0, <= 12.1.9 is affected.
- Version 12.2.0, <= 12.2.7 is affected.
- Version 12.3.0, <= 12.3.5 is affected.
- Version 12.4.0, <= 12.4.1 is affected.
- Version 11.6.0, <= 11.6.13 is affected.
- Version 12.1.0, <= 12.1.9 is affected.
- Version 12.2.0, <= 12.2.7 is affected.
- Version 12.3.0, <= 12.3.5 is affected.
- Version 12.4.0, <= 12.4.1 is affected.