PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-28378 Grafana CVE debrief

CVE-2026-28378 is a security issue in the public dashboard deletion endpoint of Grafana. An Org Admin in one organization can delete public dashboards belonging to a different organization by supplying the target dashboard's identifiers. This issue arises from the endpoint's failure to enforce organization isolation. The vulnerability has a CVSS score of 3.1 and a severity of LOW. Users should verify their configurations to ensure proper isolation between organizations. The issue was reported and verified through official channels, but details are limited. Further verification is recommended.

Vendor
Grafana
Product
Grafana Enterprise
CVSS
LOW 3.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-07
Original CVE updated
2026-07-07
Advisory published
2026-07-07
Advisory updated
2026-07-07

Who should care

Users of Grafana's public dashboard feature, particularly those with multiple organizations, should verify their configurations and ensure proper isolation between organizations. This includes reviewing current Org Admin permissions and monitoring dashboard deletion logs for suspicious activity.

Technical summary

The public dashboard deletion endpoint does not enforce organization isolation. This allows an Org Admin in one organization to delete public dashboards belonging to a different organization by supplying the target dashboard's identifiers. The issue has a CVSS score of 3.1 and a severity of LOW. This technical limitation could lead to unauthorized dashboard deletions if not properly mitigated.

Defensive priority

Low-priority defensive actions recommended. However, given the potential for unauthorized dashboard deletions, organizations should prioritize verifying their configurations and monitoring for suspicious activity. Immediate action may not be required, but awareness and preparedness are crucial. Recommended actions include verifying organization isolation configurations, restricting Org Admin permissions, and monitoring dashboard deletion logs.

Recommended defensive actions

  • Verify organization isolation configurations for public dashboards
  • Restrict Org Admin permissions to prevent cross-organization dashboard deletion
  • Monitor dashboard deletion logs for suspicious activity

Evidence notes

Evidence is limited. Primary official records indicate a security issue in the public dashboard deletion endpoint. Further verification and inventory checks are recommended. The CVE record was published on 2026-07-07T22:16:50.607Z and has not been modified since then. No additional information is available from the source.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-07T22:16:50.607Z and has not been modified since then.