CVE-2025-3580 – Grafana Server Administrator Account Deletion Vulnerability

CVE ID : CVE-2025-3580

Published : May 23, 2025, 2:15 p.m. | 1 hour, 3 minutes ago

Description : An access control vulnerability was discovered in Grafana OSS where an Organization administrator could permanently delete the Server administrator account. This vulnerability exists in the DELETE /api/org/users/ endpoint.

The vulnerability can be exploited when:

1. An Organization administrator exists

2. The Server administrator is either:

– Not part of any organization, or
– Part of the same organization as the Organization administrator
Impact:

– Organization administrators can permanently delete Server administrator accounts

– If the only Server administrator is deleted, the Grafana instance becomes unmanageable

– No super-user permissions remain in the system

– Affects all users, organizations, and teams managed in the instance

The vulnerability is particularly serious as it can lead to a complete loss of administrative control over the Grafana instance.

Severity: 5.5 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…