{"id":"CVE-2026-28378","summary":"Cross-Organization Public Dashboard Deletion via Missing Org Isolation","details":"The public dashboard deletion endpoint does not enforce organization isolation, allowing an Org Admin in one organization to delete public dashboards belonging to a different organization by supplying the target dashboard's identifiers.","aliases":["BIT-grafana-2026-28378"],"modified":"2026-07-17T03:41:53.702355456Z","published":"2026-07-07T21:08:04.579Z","database_specific":{"cna_assigner":"GRAFANA","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/28xxx/CVE-2026-28378.json","unresolved_ranges":[{"source":"AFFECTED_FIELD","extracted_events":[{"introduced":"11.6.0"},{"last_affected":"11.6.13"},{"introduced":"12.1.0"},{"last_affected":"12.1.9"},{"introduced":"12.2.0"},{"last_affected":"12.2.7"},{"introduced":"12.3.0"},{"last_affected":"12.3.5"},{"introduced":"12.4.0"},{"last_affected":"12.4.1"},{"introduced":"11.6.0"},{"last_affected":"11.6.13"},{"introduced":"12.1.0"},{"last_affected":"12.1.9"},{"introduced":"12.2.0"},{"last_affected":"12.2.7"},{"introduced":"12.3.0"},{"last_affected":"12.3.5"},{"introduced":"12.4.0"},{"last_affected":"12.4.1"}]}]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/28xxx/CVE-2026-28378.json"},{"type":"ADVISORY","url":"https://grafana.com/security/security-advisories/cve-2026-28378"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28378"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/grafana/grafana","events":[{"introduced":"d2fdff9ee4d75c74bfd3a97c18a0b8e4d029f06e"},{"last_affected":"54c6e81cce189b5978d15f6d9588c68b1c74cb27"},{"introduced":"ccd7b6ce7ea6184b8c7eb1de044174147dd9a648"},{"last_affected":"629bb2f60c66e79d2feb39d5e6cc4d1aca256d7a"},{"introduced":"92f1fba9b4b6700328e99e97328d6639df8ddc3d"},{"last_affected":"a14f3c6c99495f2ef84e0b112707c5983ebcc089"},{"introduced":"20051fb1fc604fc54aae76356da1c14612af41d0"},{"last_affected":"6b96ceff49a8b6a5cb85773061d2ee8b1bef8f56"},{"introduced":"d1729c53a7f44e2e58947eb44eb896c2fb1c30b3"},{"last_affected":"d1729c53a7f44e2e58947eb44eb896c2fb1c30b3"}],"database_specific":{"cpe":["cpe:2.3:a:grafana:grafana:*:*:*:*:-:*:*:*","cpe:2.3:a:grafana:grafana:*:*:*:*:enterprise:*:*:*","cpe:2.3:a:grafana:grafana:12.4.0:*:*:*:-:*:*:*","cpe:2.3:a:grafana:grafana:12.4.0:*:*:*:enterprise:*:*:*"],"extracted_events":[{"introduced":"11.6.0"},{"last_affected":"11.6.13"},{"introduced":"12.1.0"},{"last_affected":"12.1.9"},{"introduced":"12.2.0"},{"last_affected":"12.2.7"},{"introduced":"12.3.0"},{"last_affected":"12.3.5"},{"introduced":"12.4.0"},{"last_affected":"12.4.0"}],"source":["CPE_RANGE","CPE_STRING"]}}],"versions":["12.4.0","v11.6.13","v12.1.9","v11.6.12","v12.4.0","v12.1.8","v12.1.7","v11.6.11","v12.1.6","v11.6.10","v12.1.5","v11.6.9","v11.6.8","v12.1.4","v12.1.3","v11.6.7","v12.1.2","v11.6.6","v12.1.1","v11.6.5","v11.6.4","v12.1.0","v11.6.2","v11.6.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-28378.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N"}]}