Grafana Public Dashboard Deletion Endpoint Org Isolation Bypass
CVE-2026-28378 Published on July 7, 2026

Cross-Organization Public Dashboard Deletion via Missing Org Isolation
The public dashboard deletion endpoint does not enforce organization isolation, allowing an Org Admin in one organization to delete public dashboards belonging to a different organization by supplying the target dashboard's identifiers.

Vendor Advisory NVD

Weakness Type

What is an Authorization Vulnerability?

The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CVE-2026-28378 has been classified to as an Authorization vulnerability or weakness.


Products Associated with CVE-2026-28378

Want to know whenever a new CVE is published for Grafana Labs Grafana? stack.watch will email you.

 

Affected Versions

Grafana Enterprise: Grafana OSS: