Impact
The public dashboard deletion endpoint in Grafana does not enforce organization isolation. An organization administrator can craft requests containing dashboard identifiers from another organization and thereby delete those dashboards. The flaw leads to unauthorized removal of data and loss of functionality, representing a potential data loss and disruption of service. The underlying weakness is an improper access control that fails to verify ownership before performing the delete operation.
Affected Systems
This issue affects Grafana Enterprise and Grafana OSS, regardless of version, since no specific affected version information is provided. Any instance exposing the public dashboard deletion endpoint is vulnerable.
Risk and Exploitability
The CVSS score of 3.1 classifies the vulnerability as low severity. The EPSS score is not available, and the issue is not listed in the CISA belonging to other organizations by supplying their identifiers to the deletion API. Thus the risk is limited to internal users with sufficient privileges and a properly configured Grafana instance.
OpenCVE Enrichment