IDOR in Annotations API allows unprivileged users to DELETE annotation
Medium
| Advisory ID: | CVE-2026-28374 |
| Published: | 2026-05-13 |
| Product: | Grafana |
| CVSS Score: | 4.3 |
| CVSS Vector: | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
| Fixed Versions: | >=11.6.14+security-04 >=12.2.8+security-04 >=12.3.6+security-04 >=12.4.3+security-02 >=13.0.1+security-01 |
Summary
Editors could delete any annotation, even those they do not have read access to. The editor user cannot create or read the annotations.
This vulnerability was reported via our bug bounty program.