CVE-2026-28380

Source
https://cve.org/CVERecord?id=CVE-2026-28380
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-28380.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-28380
Aliases
Downstream
Related
Published
2026-05-13T19:28:32.257Z
Modified
2026-07-14T03:56:13.569948243Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
BAC in Snapshot API allows deletion of unauthorized dashboard snapshots
Details

Any Editor could delete any snapshot, even if they have no access to read or write them.

Database specific
{
    "cna_assigner": "GRAFANA",
    "unresolved_ranges": [
        {
            "extracted_events": [
                {
                    "introduced": "9.4.0"
                },
                {
                    "last_affected": "11.6.14"
                },
                {
                    "introduced": "11.6.14"
                },
                {
                    "fixed": "11.6.14+security-04"
                },
                {
                    "introduced": "12.0.0"
                },
                {
                    "last_affected": "12.2.8"
                },
                {
                    "introduced": "12.2.8"
                },
                {
                    "fixed": "12.2.8+security-04"
                },
                {
                    "introduced": "12.3.0"
                },
                {
                    "last_affected": "12.3.6"
                },
                {
                    "introduced": "12.3.6"
                },
                {
                    "fixed": "12.3.6+security-04"
                },
                {
                    "introduced": "12.4.0"
                },
                {
                    "last_affected": "12.4.3"
                },
                {
                    "introduced": "12.4.3"
                },
                {
                    "fixed": "12.4.3+security-02"
                },
                {
                    "introduced": "13.0.0"
                },
                {
                    "last_affected": "13.0.1"
                },
                {
                    "introduced": "13.0.1"
                },
                {
                    "fixed": "13.0.1+security-01"
                }
            ],
            "source": "AFFECTED_FIELD"
        }
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/28xxx/CVE-2026-28380.json"
}
References

Affected packages

Git / github.com/grafana/grafana

Affected ranges

Type
GIT
Repo
https://github.com/grafana/grafana
Events
Database specific
{
    "extracted_events": [
        {
            "introduced": "8.5.0"
        },
        {
            "fixed": "11.6.14"
        },
        {
            "introduced": "12.2.0"
        },
        {
            "fixed": "12.2.8"
        },
        {
            "introduced": "12.3.0"
        },
        {
            "fixed": "12.3.6"
        },
        {
            "introduced": "12.4.0"
        },
        {
            "fixed": "12.4.3"
        },
        {
            "introduced": "11.6.14-NA"
        },
        {
            "last_affected": "11.6.14-NA"
        },
        {
            "introduced": "11.6.14-security01"
        },
        {
            "last_affected": "11.6.14-security01"
        },
        {
            "introduced": "12.2.8-NA"
        },
        {
            "last_affected": "12.2.8-NA"
        },
        {
            "introduced": "12.2.8-security01"
        },
        {
            "last_affected": "12.2.8-security01"
        },
        {
            "introduced": "12.3.6-NA"
        },
        {
            "last_affected": "12.3.6-NA"
        },
        {
            "introduced": "12.3.6-security01"
        },
        {
            "last_affected": "12.3.6-security01"
        },
        {
            "introduced": "12.4.3-NA"
        },
        {
            "last_affected": "12.4.3-NA"
        },
        {
            "introduced": "13.0.0"
        },
        {
            "last_affected": "13.0.0"
        },
        {
            "introduced": "13.0.1-NA"
        },
        {
            "last_affected": "13.0.1-NA"
        }
    ],
    "cpe": [
        "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*",
        "cpe:2.3:a:grafana:grafana:11.6.14:-:*:*:*:*:*:*",
        "cpe:2.3:a:grafana:grafana:11.6.14:security01:*:*:*:*:*:*",
        "cpe:2.3:a:grafana:grafana:12.2.8:-:*:*:*:*:*:*",
        "cpe:2.3:a:grafana:grafana:12.2.8:security01:*:*:*:*:*:*",
        "cpe:2.3:a:grafana:grafana:12.3.6:-:*:*:*:*:*:*",
        "cpe:2.3:a:grafana:grafana:12.3.6:security01:*:*:*:*:*:*",
        "cpe:2.3:a:grafana:grafana:12.4.3:-:*:*:*:*:*:*",
        "cpe:2.3:a:grafana:grafana:13.0.0:*:*:*:*:*:*:*",
        "cpe:2.3:a:grafana:grafana:13.0.1:-:*:*:*:*:*:*"
    ],
    "source": [
        "CPE_RANGE",
        "CPE_STRING"
    ]
}

Affected versions

11.*
11.6.14-NA
11.6.14-security01
12.*
12.2.8-NA
12.2.8-security01
12.3.6-NA
12.3.6-security01
12.4.3-NA
13.*
13.0.0
13.0.1-NA

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-28380.json"