CVE-2026-28380— BAC in Snapshot API allows deletion of unauthorized dashboard snapshots
Affected Version Matrix 10
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Grafana | Grafana OSS | 9.4.0≤ 11.6.14 | affected |
11.6.14< 11.6.14+security-04 | affected | ||
12.0.0≤ 12.2.8 | affected | ||
12.2.8< 12.2.8+security-04 | affected | ||
12.3.0≤ 12.3.6 | affected | ||
12.3.6< 12.3.6+security-04 | affected | ||
12.4.0≤ 12.4.3 | affected | ||
12.4.3< 12.4.3+security-02 | affected | ||
| … +2 more rows | |||
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-28380
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
BAC in Snapshot API allows deletion of unauthorized dashboard snapshots
Source: NVD (National Vulnerability Database)
Vulnerability Description
Any Editor could delete any snapshot, even if they have no access to read or write them.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Grafana OSS 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Grafana OSS是Grafana开源的一个可视化仪表盘。 Grafana OSS存在安全漏洞,该漏洞源于任何编辑器可删除任何快照,即使没有读写权限。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Grafana | Grafana OSS | 9.4.0 ~ 11.6.14 | - |
II. Public POCs for CVE-2026-28380
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-28380
请登录查看更多情报信息。
Same Patch Batch · Grafana · 2026-05-13 · 10 CVEs total
| CVE-2026-33376 | 7.4 HIGH | Auth Proxy IPv6 whitelist bypass |
| CVE-2026-33377 | 7.1 HIGH | Dashboard Import Overwrites ACL — Editor Privilege Escalation to Dashboard Admin |
| CVE-2026-28379 | 6.5 MEDIUM | Viewer-triggered race condition in Grafana Live leads to complete server crash |
| CVE-2026-28383 | 6.5 MEDIUM | Grafana plugin resources can lead to unbounded memory allocation |
| CVE-2026-28376 | 6.5 MEDIUM | Grafana Live push endpoint allows unbounded memory allocation leading to OOM |
| CVE-2026-33378 | 6.5 MEDIUM | Grafana Data Source Plugin: DoS (OOM) via Negative Interval Injection in $__timeGroup Macr |
| CVE-2026-33380 | 6.3 MEDIUM | SQL Expressions Read File From Disk |
| CVE-2026-33381 | 5.9 MEDIUM | Users can generate Service Account tokens after permissions removal |
| CVE-2026-28374 | 4.3 MEDIUM | IDOR in Annotations API allows unprivileged users to DELETE annotation |
IV. Related Vulnerabilities
Same product: Grafana OSS
- CVE-2026-28374
IDOR in Annotations API allows unprivileged users to DELETE - CVE-2026-33378
Grafana Data Source Plugin: DoS (OOM) via Negative Interval - CVE-2026-28383
Grafana plugin resources can lead to unbounded memory alloca - CVE-2026-33376
Auth Proxy IPv6 whitelist bypass - CVE-2026-33380
SQL Expressions Read File From Disk
Same vendor: Grafana
- CVE-2026-28374
IDOR in Annotations API allows unprivileged users to DELETE - CVE-2026-33378
Grafana Data Source Plugin: DoS (OOM) via Negative Interval - CVE-2026-28383
Grafana plugin resources can lead to unbounded memory alloca - CVE-2026-33376
Auth Proxy IPv6 whitelist bypass - CVE-2026-33380
SQL Expressions Read File From Disk
V. Comments for CVE-2026-28380
No comments yet