Description
The public dashboard deletion endpoint does not enforce organization isolation, allowing an Org Admin in one organization to delete public dashboards belonging to a different organization by supplying the target dashboard's identifiers.
Published: 2026-07-07
Score: 3.1 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The public dashboard deletion endpoint in Grafana does not enforce organization isolation. An organization administrator can craft requests containing dashboard identifiers from another organization and thereby delete those dashboards. The flaw leads to unauthorized removal of data and loss of functionality, representing a potential data loss and disruption of service. The underlying weakness is an improper access control that fails to verify ownership before performing the delete operation.

Affected Systems

This issue affects Grafana Enterprise and Grafana OSS, regardless of version, since no specific affected version information is provided. Any instance exposing the public dashboard deletion endpoint is vulnerable.

Risk and Exploitability

The CVSS score of 3.1 classifies the vulnerability as low severity. The EPSS score is not available, and the issue is not listed in the CISA belonging to other organizations by supplying their identifiers to the deletion API. Thus the risk is limited to internal users with sufficient privileges and a properly configured Grafana instance.

Generated by OpenCVE AI on July 8, 2026 at 04:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check Grafana's security advisories for the latest patch and apply it immediately.
  • Restrict the deletion operation to dashboards owned by the requesting organization, ensuring that the API verifies ownership before deletion.
  • If a patch is not yet available, isolate the Grafana instance by network segmentation or firewall rules to prevent unauthorized internal access to the deletion endpoint.

Generated by OpenCVE AI on July 8, 2026 at 04:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Jul 2026 04:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
CWE-639

Tue, 07 Jul 2026 21:45:00 +0000

Type Values Removed Values Added
Description The public dashboard deletion endpoint does not enforce organization isolation, allowing an Org Admin in one organization to delete public dashboards belonging to a different organization by supplying the target dashboard's identifiers.
Title Cross-Organization Public Dashboard Deletion via Missing Org Isolation
References
Metrics cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GRAFANA

Published:

Updated: 2026-07-07T21:08:04.579Z

Reserved: 2026-02-27T07:16:12.218Z

Link: CVE-2026-28378

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-08T04:15:04Z

Weaknesses
  • CWE-284

    Improper Access Control

  • CWE-639

    Authorization Bypass Through User-Controlled Key