Main Vulnerability Database Vulnerabilities #VU131632

Authorization bypass through user-controlled key in Grafana - CVE-2026-28374

Published: May 18, 2026

Vulnerability identifier: #VU131632

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-28374

CWE-ID: CWE-639

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Grafana Labs

Affected software:
Grafana

Detailed vulnerability description

The vulnerability allows a remote user to delete annotations they should not be able to access.

The vulnerability exists due to improper access control in the annotations API when handling delete requests for annotations. A remote user can send a crafted delete request to delete annotations they do not have read access to.

The issue affects editor users, who can delete annotations even though they cannot create or read them.

How to mitigate CVE-2026-28374

Install security update from vendor's website.

Sources

https://grafana.com/security/security-advisories/cve-2026-28374/

Authorization bypass through user-controlled key in Grafana - CVE-2026-28374

Detailed vulnerability description

How to mitigate CVE-2026-28374

Sources

Please verify you're human