CVE-2026-0713
A security vulnerability in the /apis/dashboard.grafana.app/* endpoints allows authenticated users to bypass dashboard and folder permissions. The vulnerability affects all API versions (v0alpha1, v1alpha1, v2alpha1). Impact: - Viewers can view all dashboards/folders regardless of permissions - Editors can view/edit/delete all dashboards/folders regardless of permissions - Editors can create dashboards in any folder regardless of permissions - Anonymous users with viewer/editor roles are similarly affected Organization isolation boundaries remain intact. The vulnerability only affects dashboard access and does not grant access to datasources.
EPSS 0.04% · 10.8th percentile
Risk Scores
Exploit Intelligence
- CIRCL seen: CVE-2026-0713 (circl-sighting)
- CIRCL seen: CVE-2026-0713 (circl-sighting)
- CIRCL seen: CVE-2026-0713 (circl-sighting)
- CIRCL seen: CVE-2026-0713 (circl-sighting)
Timeline
- Jan 15, 2026 PoC Published
- Jan 15, 2026 PoC Published
- Jan 15, 2026 PoC Published
- Jan 15, 2026 PoC Published
- Jan 16, 2026 EPSS Score
- Jan 17, 2026 EPSS Score
- Jan 18, 2026 EPSS Score
- Jan 19, 2026 EPSS Score
- Jan 20, 2026 EPSS Score
- Jan 21, 2026 EPSS Score
- Jan 22, 2026 EPSS Score
- Jan 22, 2026 CVE Rejected
References
- https://nvd.nist.gov/vuln/detail/CVE-2026-0713 advisory
- https://sick.com/psirt url
- https://www.cisa.gov/resources-tools/resources/ics-recommended-practices url
- https://www.first.org/cvss/calculator/3.1 url
- https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.json url
- https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.pdf url
- https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf url