Affiliation: Researcher - https://mobile.twitter.com/dgirlwhohacks
This was reported to Miraheze for our instance and I discussed with this @akosiaris on IRC so here's a heads up as we now have a POC.
Running this command without authentication should incorrectly allow anyone to create a dashboard and therefore potentially can cause a DoS. This was previously described in https://nvd.nist.gov/vuln/detail/CVE-2019-15043 and is supposed to be fixed in 5.4.5 and 6.3.4, but doesn't seem to be fixed in the 7.x series.
curl -s XPOST https://grafana.wikimedia.org/api/snapshots -H "Accept: application/json" -H "Content-Type: application/json" -d '{"dashboard": {}}' | json_pp
You may want restrict access to your API via another means and we are raising this with grafana.