PatchSiren cyber security CVE debrief
CVE-2026-28378 Grafana CVE debrief
CVE-2026-28378 is a security issue in the public dashboard deletion endpoint of Grafana. An Org Admin in one organization can delete public dashboards belonging to a different organization by supplying the target dashboard's identifiers. This issue arises from the endpoint's failure to enforce organization isolation. The vulnerability has a CVSS score of 3.1 and a severity of LOW. Users should verify their configurations to ensure proper isolation between organizations. The issue was reported and verified through official channels, but details are limited. Further verification is recommended.
- Vendor
- Grafana
- Product
- Grafana Enterprise
- CVSS
- LOW 3.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-07
- Original CVE updated
- 2026-07-07
- Advisory published
- 2026-07-07
- Advisory updated
- 2026-07-07
Who should care
Users of Grafana's public dashboard feature, particularly those with multiple organizations, should verify their configurations and ensure proper isolation between organizations. This includes reviewing current Org Admin permissions and monitoring dashboard deletion logs for suspicious activity.
Technical summary
The public dashboard deletion endpoint does not enforce organization isolation. This allows an Org Admin in one organization to delete public dashboards belonging to a different organization by supplying the target dashboard's identifiers. The issue has a CVSS score of 3.1 and a severity of LOW. This technical limitation could lead to unauthorized dashboard deletions if not properly mitigated.
Defensive priority
Low-priority defensive actions recommended. However, given the potential for unauthorized dashboard deletions, organizations should prioritize verifying their configurations and monitoring for suspicious activity. Immediate action may not be required, but awareness and preparedness are crucial. Recommended actions include verifying organization isolation configurations, restricting Org Admin permissions, and monitoring dashboard deletion logs.
Recommended defensive actions
- Verify organization isolation configurations for public dashboards
- Restrict Org Admin permissions to prevent cross-organization dashboard deletion
- Monitor dashboard deletion logs for suspicious activity
Evidence notes
Evidence is limited. Primary official records indicate a security issue in the public dashboard deletion endpoint. Further verification and inventory checks are recommended. The CVE record was published on 2026-07-07T22:16:50.607Z and has not been modified since then. No additional information is available from the source.
Official resources
-
CVE-2026-28378 CVE record
CVE.org
-
CVE-2026-28378 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-07T22:16:50.607Z and has not been modified since then.