CVE-2026-28374
published 2026-05-13CVE-2026-28374: Editors could delete any annotation, even those they do not have read access to. The editor user cannot create or read the annotations.
PriorityP421medium4.3CVSS 3.1
AVNACLPRLUINSUCNILAN
EPSS
0.20%
9.8th percentile
Editors could delete any annotation, even those they do not have read access to. The editor user cannot create or read the annotations.
Affected
27 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| grafana | grafana | — | — |
| grafana | grafana | — | — |
| grafana | grafana | — | — |
| grafana | grafana | — | — |
| grafana | grafana | — | — |
| grafana | grafana | — | — |
| grafana | grafana | — | — |
| grafana | grafana | >= 12.2.0 < 12.2.8 | 12.2.8 |
| grafana | grafana | >= 12.3.0 < 12.3.6 | 12.3.6 |
| grafana | grafana | >= 12.4.0 < 12.4.3 | 12.4.3 |
| grafana | grafana | >= 8.5.0 < 11.6.14 | 11.6.14 |
| grafana | grafana_oss | >= 11.6.14 < 11.6.14+security-04 | 11.6.14+security-04 |
| grafana | grafana_oss | 12.0.0 – 12.2.8 | — |
| grafana | grafana_oss | >= 12.2.8 < 12.2.8+security-04 | 12.2.8+security-04 |
| grafana | grafana_oss | 12.3.0 – 12.3.6 | — |
| grafana | grafana_oss | >= 12.3.6 < 12.3.6+security-04 | 12.3.6+security-04 |
| grafana | grafana_oss | 12.4.0 – 12.4.3 | — |
| grafana | grafana_oss | >= 12.4.3 < 12.4.3+security-02 | 12.4.3+security-02 |
| grafana | grafana_oss | 13.0.0 – 13.0.1 | — |
| grafana | grafana_oss | >= 13.0.1 < 13.0.1+security-01 | 13.0.1+security-01 |
| grafana | grafana_oss | 8.5.0 – 11.6.14 | — |
| multicluster-globalhub | multicluster-globalhub-grafana-rhel9 | — | — |
| rhacm2 | acm-grafana-rhel9 | — | — |
| rhceph | grafana-rhel10 | — | — |
| rhceph | grafana-rhel9 | — | — |
CVSS provenance
nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
vendor_redhat4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
grafana: Grafana: Unauthorized annotation deletion by editor users
vendor_redhat·2026-05-13·CVSS 4.3
CVE-2026-28374 [MEDIUM] CWE-1220 grafana: Grafana: Unauthorized annotation deletion by editor users
grafana: Grafana: Unauthorized annotation deletion by editor users
A flaw was found in Grafana. An authenticated editor user could exploit this vulnerability to delete any annotation, even those for which they lack read permissions. This unauthorized action compromises the integrity of data by allowing deletion of information beyond their intended access scope.
Package: multicluster-globalhub/multicluster-globalhub-grafana-rhel9 (Multicluster Global Hub) - Fix deferred
Package: rhacm2/acm-grafana-rhel9 (Red Hat Advanced Cluster Management for Kubernetes 2) - Fix deferred
Package: rhceph/rhceph-5-dashboard-rhel8 (Red Hat Ceph Storage 5) - Not affected
Package: rhceph/rhceph-6-dashboard-rhel9 (Red Hat Ceph Storage 6) - Not affected
Package: rhceph/grafana-rhel9 (Red Hat Ceph Storage 8)
VulDB
Grafana OSS up to 13.0.1+security-00 access control (WID-SEC-2026-1546)
vuldb·2026-05-16·CVSS 4.3
CVE-2026-28374 [MEDIUM] Grafana OSS up to 13.0.1+security-00 access control (WID-SEC-2026-1546)
A vulnerability, which was classified as critical, was found in Grafana OSS. The impacted element is an unknown function. Such manipulation leads to improper access controls.
This vulnerability is uniquely identified as CVE-2026-28374. The attack can be launched remotely. No exploit exists.
You should upgrade the affected component.
GHSA
GHSA-8mrj-8pc8-39jm: Editors could delete any annotation, even those they do not have read access to
ghsa_unreviewed·2026-05-13
CVE-2026-28374 [MEDIUM] CWE-284 GHSA-8mrj-8pc8-39jm: Editors could delete any annotation, even those they do not have read access to
Editors could delete any annotation, even those they do not have read access to. The editor user cannot create or read the annotations.
No detection rules found.
No public exploits indexed.
2026-05-13
Published