An access control vulnerability was discovered in Grafana OSS where an Organization administrator could permanently delete the Server administrator account. This vulnerability exists in the DELETE /api/org/users/ endpoint.
The vulnerability can be exploited when:
1. An Organization administrator exists
2. The Server administrator is either:
- Not part of any organization, or
- Part of the same organization as the Organization administrator
Impact:
- Organization administrators can permanently delete Server administrator accounts
- If the only Server administrator is deleted, the Grafana instance becomes unmanageable
- No super-user permissions remain in the system
- Affects all users, organizations, and teams managed in the instance
The vulnerability is particularly serious as it can lead to a complete loss of administrative control over the Grafana instance.
Metrics
Affected Vendors & Products
References
History
Mon, 26 May 2025 14:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Title | grafana: Improper access control in the /api/org/users/ API endpoint | |
References |
| |
Metrics |
threat_severity
|
threat_severity
|
Fri, 23 May 2025 14:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
Fri, 23 May 2025 14:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | An access control vulnerability was discovered in Grafana OSS where an Organization administrator could permanently delete the Server administrator account. This vulnerability exists in the DELETE /api/org/users/ endpoint. The vulnerability can be exploited when: 1. An Organization administrator exists 2. The Server administrator is either: - Not part of any organization, or - Part of the same organization as the Organization administrator Impact: - Organization administrators can permanently delete Server administrator accounts - If the only Server administrator is deleted, the Grafana instance becomes unmanageable - No super-user permissions remain in the system - Affects all users, organizations, and teams managed in the instance The vulnerability is particularly serious as it can lead to a complete loss of administrative control over the Grafana instance. | |
Weaknesses | CWE-284 | |
References |
| |
Metrics |
cvssV3_1
|

Status: PUBLISHED
Assigner: GRAFANA
Published: 2025-05-23T13:44:45.974Z
Updated: 2025-05-23T14:05:09.480Z
Reserved: 2025-04-14T10:36:24.956Z
Link: CVE-2025-3580

Updated: 2025-05-23T14:04:57.480Z

Status : Awaiting Analysis
Published: 2025-05-23T14:15:28.740
Modified: 2025-05-23T15:54:42.643
Link: CVE-2025-3580
