A vulnerability in the snapshot API allows a user with an Editor role to delete any dashboard snapshot, even when the user has no permission to read or write that snapshot. The flaw permits an attacker to remove critical visual data, disrupt reporting, and create gaps in audit trails, essentially causing a loss of integrity and availability of configuration artifacts. The root weakness is missing authorization control over snapshot deletion, characteristic of a Missing Authorization flaw (CWE‑862) and an Authorization Bypass flaw (CWE‑639).

The vulnerability affects Grafana OSS deployments. No specific product version numbers are reported in the advisory, so all Grafana OSS installations could be impacted until a patch is applied or the snapshot deletion feature is otherwise restricted.

The CVSS score of 6.5 indicates moderate severity. The EPSS score of < 1% indicates a very low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog, suggesting no current widespread exploitation reports. Likely attack vectors involve an authenticated internal or compromised Editor account; an adversary can use the API to delete snapshots without having read access. While the attack requires legitimate credentials, the potential for data loss and disruption remains, warranting proactive mitigation and monitoring.