CVEFinder.io

CVE-2026-28374

🔶 medium
🔍 Scan for this CVE
Summary

Editors could delete any annotation, even those they do not have read access to. The editor user cannot create or read the annotations.

CVSS Score
4.3
Medium
EPSS Score
0.0
Exploit Probability
Published Date
2026-05-13
First Seen: 2026-05-17
📊 Relative Risk Intelligence

This CVE is Lower Risk - more severe than 5.4% of all 325,680 vulnerabilities in our database.

#308,013
Below average severity
Severity Percentile
🎯 CISA SSVC Assessment Updated: May 14, 2026
🔍 Exploitation Status
None
No known exploits
⚙️ Automatable
NO
Requires human interaction
💥 Technical Impact
Partial
Limited system impact
SSVC data provided by CISA
Last Modified 2026-06-02
Source NVD 🔗
CVSS Vector 3.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CWE IDs (Weakness Types)
CWE-284

📦 Affected Products 10

Vendor Product Status Affected Versions
grafana grafana Affected
> 8.5.0 < 11.6.14
grafana grafana Affected
> 12.2.0 < 12.2.8
grafana grafana Affected
> 12.3.0 < 12.3.6
grafana grafana Affected
> 12.4.0 < 12.4.3
grafana grafana Affected
v11.6.14
grafana grafana Affected
v12.2.8
grafana grafana Affected
v12.3.6
grafana grafana Affected
v12.4.3
grafana grafana Affected
v13.0.0
grafana grafana Affected
v13.0.1

🔗 References 1

https://grafana.com/security/security-advisories/cve...
Vendor Advisory

🔗 Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2026-28376 🔶 medium 6.5 0.0 The Grafana Live push endpoint can be exploited to cause unbounded memory allocation by sending a large or streaming req... 2026-05-13
CVE-2026-28379 🔶 medium 6.5 0.0 A race condition in Grafana Live allows authenticated users with Viewer role to trigger a server crash by sending concur... 2026-05-13
CVE-2026-28380 🔶 medium 6.5 0.0 Any Editor could delete any snapshot, even if they have no access to read or write them. 2026-05-13
CVE-2026-28383 🔶 medium 6.5 0.0 A request to the Grafana plugin resources endpoint can cause unbounded memory allocation by reading the entire request b... 2026-05-13
CVE-2026-33376 ⚠️ high 7.4 0.0 When using an IPv6 allow-list for the Auth Proxy feature, it defaults to /32 addresses. Addresses specifying a mask expl... 2026-05-13
CVE-2026-33377 ⚠️ high 7.1 0.0 An Editor can overwrite a dashboard not owned by them to acquire admin on that specific dashboard. The user must have wr... 2026-05-13
These CVEs affect the same products