Improper access control in Grafana - CVE-2026-28378
Published: July 13, 2026
Grafana
Detailed vulnerability description
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to the public dashboard deletion endpoint does not enforce organization isolation. A remote user can supply the target dashboard’s identifiers to delete public dashboards belonging to a different organization.