CVE ID : CVE-2025-3580
Published : May 23, 2025, 2:15 p.m. | 1 hour, 24 minutes ago
Description : An access control vulnerability was discovered in Grafana OSS where an Organization administrator could permanently delete the Server administrator account. This vulnerability exists in the DELETE /api/org/users/ endpoint.
The vulnerability can be exploited when:
1. An Organization administrator exists
2. The Server administrator is either:
– Not part of any organization, or
– Part of the same organization as the Organization administrator
Impact:
– Organization administrators can permanently delete Server administrator accounts
– If the only Server administrator is deleted, the Grafana instance becomes unmanageable
– No super-user permissions remain in the system
– Affects all users, organizations, and teams managed in the instance
The vulnerability is particularly serious as it can lead to a complete loss of administrative control over the Grafana instance.
Severity: 5.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
