Home

Description

An access control vulnerability was discovered in Grafana OSS where an Organization administrator could permanently delete the Server administrator account. This vulnerability exists in the DELETE /api/org/users/ endpoint. The vulnerability can be exploited when: 1. An Organization administrator exists 2. The Server administrator is either: - Not part of any organization, or - Part of the same organization as the Organization administrator Impact: - Organization administrators can permanently delete Server administrator accounts - If the only Server administrator is deleted, the Grafana instance becomes unmanageable - No super-user permissions remain in the system - Affects all users, organizations, and teams managed in the instance The vulnerability is particularly serious as it can lead to a complete loss of administrative control over the Grafana instance.

PUBLISHED Reserved 2025-04-14 | Published 2025-05-23 | Updated 2025-07-17 | Assigner GRAFANA




MEDIUM: 5.5CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H

Problem types

CWE-284

Product status

Default status
unaffected

12.0.0 (semver) before 12.0.1
affected

11.6.1 (semver) before 11.6.2
affected

11.5.4 (semver) before 11.5.5
affected

11.4.4 (semver) before 11.4.5
affected

11.3.6 (semver) before 11.3.7
affected

11.2.9 (semver) before 11.2.10
affected

10.4.18 (semver) before 10.4.19
affected

Credits

Saket Pandey finder

References

grafana.com/security/security-advisories/cve-2025-3580/ vendor-advisory

cve.org (CVE-2025-3580)

nvd.nist.gov (CVE-2025-3580)

Download JSON