Description
Editors could delete any annotation, even those they do not have read access to. The editor user cannot create or read the annotations.
Published: 2026-05-13
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the Annotations API allowed editor users to delete any annotation regardless of the lack of read permissions. This IDOR vulnerability enables an attacker who is authenticated as an editor to remove annotations that they should not have visibility into, compromising data integrity and potentially erasing critical contextual information.

Affected Systems

The affected product is Grafana OSS. Specific versions are not listed in the advisory, so all currently deployed instances of Grafana OSS remain potentially vulnerable until verified patching.

Risk and Exploitability

The CVSS score of 4.3 places the issue in the low to moderate range, and the EPSS score is not available. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to authenticate as an editor and then exploit the DELETE API endpoint; no remote unauthenticated exploit is described. The absence of exploit data suggests a lower likelihood, but the confidentiality impact is limited because a reader is not granted deletion rights, and the attackers cannot read hidden annotations. Nonetheless, the data loss angle warrants attention.

Generated by OpenCVE AI on May 13, 2026 at 21:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Grafana to the latest released version that contains the fix for CVE-2026-28374
  • If an immediate upgrade is not possible, disable the DELETE operation for annotations or restrict it to users with explicit permission through Grafana’s role‑based access controls
  • Enable detailed audit logging for all annotation deletion actions and regularly review logs for unauthorized activity

Generated by OpenCVE AI on May 13, 2026 at 21:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Grafana
Grafana grafana
Vendors & Products Grafana
Grafana grafana

Thu, 14 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 22:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
CWE-639

Wed, 13 May 2026 20:00:00 +0000

Type Values Removed Values Added
Description Editors could delete any annotation, even those they do not have read access to. The editor user cannot create or read the annotations.
Title IDOR in Annotations API allows unprivileged users to DELETE annotation
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Grafana Grafana
cve-icon MITRE

Status: PUBLISHED

Assigner: GRAFANA

Published:

Updated: 2026-05-14T12:33:13.749Z

Reserved: 2026-02-27T07:16:12.218Z

Link: CVE-2026-28374

cve-icon Vulnrichment

Updated: 2026-05-14T12:33:09.731Z

cve-icon NVD

Status : Received

Published: 2026-05-13T20:16:19.583

Modified: 2026-05-14T13:16:16.960

Link: CVE-2026-28374

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T14:00:19Z

Weaknesses