CVE-2026-28374

Source
https://cve.org/CVERecord?id=CVE-2026-28374
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-28374.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-28374
Aliases
Downstream
Related
Published
2026-05-13T19:28:40.053Z
Modified
2026-07-16T03:31:12.882219846Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
Summary
IDOR in Annotations API allows unprivileged users to DELETE annotation
Details

Editors could delete any annotation, even those they do not have read access to. The editor user cannot create or read the annotations.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/28xxx/CVE-2026-28374.json",
    "unresolved_ranges": [
        {
            "extracted_events": [
                {
                    "introduced": "8.5.0"
                },
                {
                    "last_affected": "11.6.14"
                },
                {
                    "introduced": "11.6.14"
                },
                {
                    "fixed": "11.6.14+security-04"
                },
                {
                    "introduced": "12.0.0"
                },
                {
                    "last_affected": "12.2.8"
                },
                {
                    "introduced": "12.2.8"
                },
                {
                    "fixed": "12.2.8+security-04"
                },
                {
                    "introduced": "12.3.0"
                },
                {
                    "last_affected": "12.3.6"
                },
                {
                    "introduced": "12.3.6"
                },
                {
                    "fixed": "12.3.6+security-04"
                },
                {
                    "introduced": "12.4.0"
                },
                {
                    "last_affected": "12.4.3"
                },
                {
                    "introduced": "12.4.3"
                },
                {
                    "fixed": "12.4.3+security-02"
                },
                {
                    "introduced": "13.0.0"
                },
                {
                    "last_affected": "13.0.1"
                },
                {
                    "introduced": "13.0.1"
                },
                {
                    "fixed": "13.0.1+security-01"
                }
            ],
            "source": "AFFECTED_FIELD"
        }
    ],
    "cna_assigner": "GRAFANA"
}
References

Affected packages

Git / github.com/grafana/grafana

Affected ranges

Type
GIT
Repo
https://github.com/grafana/grafana
Events
Database specific
{
    "cpe": [
        "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*",
        "cpe:2.3:a:grafana:grafana:11.6.14:-:*:*:*:*:*:*",
        "cpe:2.3:a:grafana:grafana:11.6.14:security01:*:*:*:*:*:*",
        "cpe:2.3:a:grafana:grafana:12.2.8:-:*:*:*:*:*:*",
        "cpe:2.3:a:grafana:grafana:12.2.8:security01:*:*:*:*:*:*",
        "cpe:2.3:a:grafana:grafana:12.3.6:-:*:*:*:*:*:*",
        "cpe:2.3:a:grafana:grafana:12.3.6:security01:*:*:*:*:*:*",
        "cpe:2.3:a:grafana:grafana:12.4.3:-:*:*:*:*:*:*",
        "cpe:2.3:a:grafana:grafana:13.0.0:*:*:*:*:*:*:*",
        "cpe:2.3:a:grafana:grafana:13.0.1:-:*:*:*:*:*:*"
    ],
    "source": [
        "CPE_RANGE",
        "CPE_STRING"
    ],
    "extracted_events": [
        {
            "introduced": "8.5.0"
        },
        {
            "fixed": "11.6.14"
        },
        {
            "introduced": "12.2.0"
        },
        {
            "fixed": "12.2.8"
        },
        {
            "introduced": "12.3.0"
        },
        {
            "fixed": "12.3.6"
        },
        {
            "introduced": "12.4.0"
        },
        {
            "fixed": "12.4.3"
        },
        {
            "introduced": "11.6.14-NA"
        },
        {
            "last_affected": "11.6.14-NA"
        },
        {
            "introduced": "11.6.14-security01"
        },
        {
            "last_affected": "11.6.14-security01"
        },
        {
            "introduced": "12.2.8-NA"
        },
        {
            "last_affected": "12.2.8-NA"
        },
        {
            "introduced": "12.2.8-security01"
        },
        {
            "last_affected": "12.2.8-security01"
        },
        {
            "introduced": "12.3.6-NA"
        },
        {
            "last_affected": "12.3.6-NA"
        },
        {
            "introduced": "12.3.6-security01"
        },
        {
            "last_affected": "12.3.6-security01"
        },
        {
            "introduced": "12.4.3-NA"
        },
        {
            "last_affected": "12.4.3-NA"
        },
        {
            "introduced": "13.0.0"
        },
        {
            "last_affected": "13.0.0"
        },
        {
            "introduced": "13.0.1-NA"
        },
        {
            "last_affected": "13.0.1-NA"
        }
    ]
}

Affected versions

11.*
11.6.14-NA
11.6.14-security01
12.*
12.2.8-NA
12.2.8-security01
12.3.6-NA
12.3.6-security01
12.4.3-NA
13.*
13.0.0
13.0.1-NA

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-28374.json"