CVE-2026-0713
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-15

Last updated on: 2026-01-15

Assigner: SICK AG

Description
A security vulnerability in the /apis/dashboard.grafana.app/* endpoints allows authenticated users to bypass dashboard and folder permissions. The vulnerability affects all API versions (v0alpha1, v1alpha1, v2alpha1). Impact: - Viewers can view all dashboards/folders regardless of permissions - Editors can view/edit/delete all dashboards/folders regardless of permissions - Editors can create dashboards in any folder regardless of permissions - Anonymous users with viewer/editor roles are similarly affected Organization isolation boundaries remain intact. The vulnerability only affects dashboard access and does not grant access to datasources.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-15
Last Modified
2026-01-15
Generated
2026-06-16
AI Q&A
2026-01-15
EPSS Evaluated
2026-01-22
NVD
CVE-2026-0713
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
grafana grafana From 11.5.0 (exc)
grafana grafana From 12.0.2 (inc)
grafana grafana From 11.6.3 (inc)
grafana grafana From 11.5.6 (inc)
grafana grafana From 11.4.6 (inc)
grafana grafana From 11.3.8 (inc)
sick sick_incoming_goods_suite From 1.2.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the /apis/dashboard.grafana.app/* endpoints of Grafana's API, affecting all API versions (v0alpha1, v1alpha1, v2alpha1). It allows authenticated users to bypass dashboard and folder permissions. As a result, viewers can see all dashboards and folders regardless of their permissions, editors can view, edit, delete, and create dashboards in any folder regardless of permissions, and anonymous users with viewer or editor roles are similarly affected. However, organization isolation boundaries remain intact, and the vulnerability does not grant access to datasources.

Impact Analysis

The vulnerability can lead to unauthorized access and modification of dashboards and folders within Grafana. Viewers can see all dashboards/folders even if they shouldn't have permission, and editors can edit, delete, or create dashboards anywhere regardless of permissions. This could result in exposure of sensitive information, unauthorized changes to dashboard content, and potential disruption of monitoring or visualization workflows. However, it does not allow access to datasources or breach organization isolation boundaries.

Mitigation Strategies

Immediate steps to mitigate this vulnerability include minimizing network exposure of the affected Grafana API endpoints, restricting network access to authorized users only, and following best security practices such as implementing network segmentation, access controls, and monitoring. Upgrading affected software to fixed versions is recommended when available. Although specific fixed versions for CVE-2026-0713 are not provided, general security recommendations include reducing attack surface and enforcing strict permissions to prevent unauthorized access. [1, 4]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-0713. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart