Summary The DELETE /api/snapshots/{key} endpoint allows any Grafana user to delete snapshots if the user is NOT in the organization of the snapshot Details An attacker (a user without organization affiliation or with a "no basic role" in an organization other than the one where the dashboard exists), knowing the key or URL of a snapshot created by any user (including Grafana admins), can delete a snapshot (It is not feasible using UI), resulting in a BOLA vulnerability. If an attacker is in the same organization of the dashboard snapshot, he can’t delete the snapshot. However, an attacker with low-privilege from a different organization would be able to delete it, resulting in the authorization flaw. Precondition To exploit this endpoint, an attacker must know the {key} of a snapshot. The attacker can potentially discover this key in various ways. When creating a snapshot through the API, users can manually specify a key without any complexity requirements. This lack of complexity makes this key susceptible to brute force attacks. For example, simplistic keys such as "customer_key_123" or "admin_snap" can be easily guessed. These predictable keys allow low-privileged attackers to perform brute-force attacks using common keywords, potentially leading to compromised data integrity. In addition, this key is displayed in plain text in the URL of a snapshot. This means that if a user publicly displays a snapshot, viewers might note down the key. Furthermore, since the…Read More