CVE-2026-28380
published 2026-05-13CVE-2026-28380: Any Editor could delete any snapshot, even if they have no access to read or write them.
PriorityP337medium6.5CVSS 3.1
AVNACLPRLUINSUCNIHAN
EPSS
0.23%
13.4th percentile
Any Editor could delete any snapshot, even if they have no access to read or write them.
Affected
27 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| grafana | grafana | — | — |
| grafana | grafana | — | — |
| grafana | grafana | — | — |
| grafana | grafana | — | — |
| grafana | grafana | — | — |
| grafana | grafana | — | — |
| grafana | grafana | — | — |
| grafana | grafana | >= 12.2.0 < 12.2.8 | 12.2.8 |
| grafana | grafana | >= 12.3.0 < 12.3.6 | 12.3.6 |
| grafana | grafana | >= 12.4.0 < 12.4.3 | 12.4.3 |
| grafana | grafana | >= 8.5.0 < 11.6.14 | 11.6.14 |
| grafana | grafana_oss | >= 11.6.14 < 11.6.14+security-04 | 11.6.14+security-04 |
| grafana | grafana_oss | 12.0.0 – 12.2.8 | — |
| grafana | grafana_oss | >= 12.2.8 < 12.2.8+security-04 | 12.2.8+security-04 |
| grafana | grafana_oss | 12.3.0 – 12.3.6 | — |
| grafana | grafana_oss | >= 12.3.6 < 12.3.6+security-04 | 12.3.6+security-04 |
| grafana | grafana_oss | 12.4.0 – 12.4.3 | — |
| grafana | grafana_oss | >= 12.4.3 < 12.4.3+security-02 | 12.4.3+security-02 |
| grafana | grafana_oss | 13.0.0 – 13.0.1 | — |
| grafana | grafana_oss | >= 13.0.1 < 13.0.1+security-01 | 13.0.1+security-01 |
| grafana | grafana_oss | 9.4.0 – 11.6.14 | — |
| multicluster-globalhub | multicluster-globalhub-grafana-rhel9 | — | — |
| rhacm2 | acm-grafana-rhel9 | — | — |
| rhceph | grafana-rhel10 | — | — |
| rhceph | grafana-rhel9 | — | — |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Grafana OSS up to 13.0.1+security-00 access control (WID-SEC-2026-1546)
vuldb·2026-05-16·CVSS 6.5
CVE-2026-28380 [MEDIUM] Grafana OSS up to 13.0.1+security-00 access control (WID-SEC-2026-1546)
A vulnerability has been found in Grafana OSS and classified as critical. This affects an unknown function. Performing a manipulation results in improper access controls.
This vulnerability was named CVE-2026-28380. The attack may be initiated remotely. There is no available exploit.
The affected component should be upgraded.
GHSA
GHSA-29p4-5443-x453: Any Editor could delete any snapshot, even if they have no access to read or write them
ghsa_unreviewed·2026-05-13
CVE-2026-28380 [MEDIUM] CWE-862 GHSA-29p4-5443-x453: Any Editor could delete any snapshot, even if they have no access to read or write them
Any Editor could delete any snapshot, even if they have no access to read or write them.
Red Hat
grafana: Grafana: Unauthorized snapshot deletion via Broken Access Control in Snapshot API
vendor_redhat·2026-05-13·CVSS 6.5
CVE-2026-28380 [MEDIUM] CWE-639 grafana: Grafana: Unauthorized snapshot deletion via Broken Access Control in Snapshot API
grafana: Grafana: Unauthorized snapshot deletion via Broken Access Control in Snapshot API
A flaw was found in Grafana. An authenticated user with editor privileges could exploit a Broken Access Control (BAC) vulnerability in the Snapshot API. This flaw allows an editor to delete any dashboard snapshot, even those they do not have explicit read or write access to, leading to unauthorized data integrity loss.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
Package: multicluster-globalhub/multicluster-globalhub-grafana-rhel9 (Multicluster Global Hub) - Fix deferred
Package: rhacm2/acm-grafana
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-28380 grafana: Grafana: Unauthorized snapshot deletion via Broken Access Control in Snapshot API [fedora-all]
bugzilla·2026-05-25·CVSS 6.5
CVE-2026-28380 [MEDIUM] CVE-2026-28380 grafana: Grafana: Unauthorized snapshot deletion via Broken Access Control in Snapshot API [fedora-all]
CVE-2026-28380 grafana: Grafana: Unauthorized snapshot deletion via Broken Access Control in Snapshot API [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-28380 grafana: Grafana: Unauthorized snapshot deletion via Broken Access Control in Snapshot API
bugzilla·2026-05-13·CVSS 6.5
CVE-2026-28380 [MEDIUM] CVE-2026-28380 grafana: Grafana: Unauthorized snapshot deletion via Broken Access Control in Snapshot API
CVE-2026-28380 grafana: Grafana: Unauthorized snapshot deletion via Broken Access Control in Snapshot API
Any Editor could delete any snapshot, even if they have no access to read or write them.
2026-05-13
Published