What is CVE-2026-28374?

CVE-2026-28374 is a security advisory published by Grafana Labs Security. IDOR in Annotations API allows unprivileged users to DELETE annotation

Why does CVE-2026-28374 have no CVE ID yet?

Grafana Labs Security published this advisory directly to customers before NVD assigned a CVE ID. This is the embargo-window disclosure pattern — vendors notify customers on day 0; NVD's public record follows days to weeks later.

CVE-2026-28374Disclosed before NVD

IDOR in Annotations API allows unprivileged users to DELETE annotation

Vendor

Grafana Labs Security

Published

May 13, 2026

Last Modified

—

📋 Description

Editors could delete any annotation, even those they do not have read access to. The editor user cannot create or read the annotations. This vulnerability was reported via our bug bounty program.

🔗 References (1)

advisoryhttps://grafana.com/security/security-advisories/cve-2026-28374/