BAC in Snapshot API allows deletion of unauthorized dashboard snapshots

6.5 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Description

Any Editor could delete any snapshot, even if they have no access to read or write them.

Basic Information

ID CVE-2026-28380

Source GRAFANA

Published May 13, 2026 at 19:28

Modified May 13, 2026 at 19:35

Affected Product

Vendor Grafana

Product Grafana OSS

Version 9.4.0

Affected Versions Grafana Grafana OSS 9.4.0
Grafana Grafana OSS 11.6.14
Grafana Grafana OSS 12.0.0
Grafana Grafana OSS 12.2.8
Grafana Grafana OSS 12.3.0
Grafana Grafana OSS 12.3.6
Grafana Grafana OSS 12.4.0
Grafana Grafana OSS 12.4.3
Grafana Grafana OSS 13.0.0
Grafana Grafana OSS 13.0.1

References

grafana.com /security/security-advisories/cve-2026-28380

{
    "lastseen": "",
    "description": "Any Editor could delete any snapshot, even if they have no access to read or write them.",
    "published": "2026-05-13T19:28:32.257Z",
    "modified": "2026-05-13T19:35:07.725Z",
    "type": "cve",
    "title": "BAC in Snapshot API allows deletion of unauthorized dashboard snapshots",
    "source": "GRAFANA",
    "references": "https://grafana.com/security/security-advisories/cve-2026-28380",
    "id": "CVE-2026-28380",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Grafana Grafana OSS 9.4.0\nGrafana Grafana OSS 11.6.14\nGrafana Grafana OSS 12.0.0\nGrafana Grafana OSS 12.2.8\nGrafana Grafana OSS 12.3.0\nGrafana Grafana OSS 12.3.6\nGrafana Grafana OSS 12.4.0\nGrafana Grafana OSS 12.4.3\nGrafana Grafana OSS 13.0.0\nGrafana Grafana OSS 13.0.1",
    "sourceHref": "",
    "cvss": {
        "score": 6.5,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Grafana OSS",
    "version": "9.4.0",
    "vendor": "Grafana",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

BAC in Snapshot API allows deletion of unauthorized dashboard snapshots_CVE-2026-28380

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply