Home
LOW: 3.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:NDefault status
unaffected
11.6.0 (semver)
affected
12.1.0 (semver)
affected
12.2.0 (semver)
affected
12.3.0 (semver)
affected
12.4.0 (semver)
affected
Default status
unaffected
11.6.0 (semver)
affected
12.1.0 (semver)
affected
12.2.0 (semver)
affected
12.3.0 (semver)
affected
12.4.0 (semver)
affected
Description
The public dashboard deletion endpoint does not enforce organization isolation, allowing an Org Admin in one organization to delete public dashboards belonging to a different organization by supplying the target dashboard's identifiers.
Product status
11.6.0 (semver)
12.1.0 (semver)
12.2.0 (semver)
12.3.0 (semver)
12.4.0 (semver)
11.6.0 (semver)
12.1.0 (semver)
12.2.0 (semver)
12.3.0 (semver)
12.4.0 (semver)
Credits
rpgsec (Researcher)
References
grafana.com/security/security-advisories/cve-2026-28378