CVE-2026-28378 in Grafana
Summary
by MITRE • 07/08/2026
The public dashboard deletion endpoint does not enforce organization isolation, allowing an Org Admin in one organization to delete public dashboards belonging to a different organization by supplying the target dashboard's identifiers.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 07/08/2026
This vulnerability represents a critical access control flaw that violates fundamental security principles of organizational separation and privilege enforcement within multi-tenant systems. The issue manifests in the public dashboard deletion endpoint where proper authorization checks fail to validate whether the requesting organization has legitimate rights to modify resources belonging to other organizations. This weakness directly contravenes the principle of least privilege and organizational boundary enforcement that should be maintained across all system components.
The technical implementation flaw stems from inadequate input validation and missing authorization logic within the dashboard management API endpoint. When an organization administrator attempts to delete a public dashboard, the system accepts the target dashboard identifier without verifying that the requesting user's organization owns or has proper access rights to that specific resource. This allows for cross-organization privilege escalation attacks where malicious actors can leverage their administrative privileges in one tenant to manipulate resources in another tenant.
From an operational impact perspective, this vulnerability creates significant security risks including potential data integrity violations, unauthorized resource destruction, and cross-tenant information exposure. An attacker could systematically delete public dashboards from competing organizations, disrupt business operations, or gain insights into other tenants' data visualization strategies. The vulnerability also enables potential denial-of-service scenarios where entire dashboard collections within target organizations could be eliminated by unauthorized administrators.
The flaw aligns with CWE-284 (Improper Access Control) and represents a specific implementation of inadequate authorization controls that can be categorized under ATT&CK technique T1078 (Valid Accounts) and T1566 (Phishing). Organizations using this system face heightened risk of insider threats or compromised administrative accounts being exploited to target other tenants. The vulnerability's exploitability is relatively straightforward requiring only knowledge of dashboard identifiers and existing administrative access within one organization.
Effective mitigations include implementing robust organization-level access control checks at the API endpoint level, enforcing mandatory organization context validation for all dashboard management operations, and establishing proper authorization boundaries between tenant environments. Systems should validate that the requesting user's organization matches the target resource's organizational ownership before permitting any deletion operations. Additionally, comprehensive logging of all dashboard deletion activities with proper attribution to both source and target organizations enables detection of unauthorized access attempts and supports incident response procedures.