An access control vulnerability was discovered in Grafana OSS where an Organization administrator could permanently delete the Server administrator account. This vulnerability exists in the DELETE /api/org/users/ endpoint. The vulnerability can be exploited when: 1. An Organization administrator exists 2. The Server administrator is either: - Not part of any organization, or - Part of the same organization as the Organization administrator Impact: - Organization administrators can permanently delete Server administrator accounts - If the only Server administrator is deleted, the Grafana instance becomes unmanageable - No super-user permissions remain in the system - Affects all users, organizations, and teams managed in the instance The vulnerability is particularly serious as it can lead to a complete loss of administrative control over the Grafana instance.
History

Mon, 26 May 2025 14:30:00 +0000

Type Values Removed Values Added
Title grafana: Improper access control in the /api/org/users/ API endpoint
References
Metrics threat_severity

None

threat_severity

Moderate


Fri, 23 May 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 23 May 2025 14:00:00 +0000

Type Values Removed Values Added
Description An access control vulnerability was discovered in Grafana OSS where an Organization administrator could permanently delete the Server administrator account. This vulnerability exists in the DELETE /api/org/users/ endpoint. The vulnerability can be exploited when: 1. An Organization administrator exists 2. The Server administrator is either: - Not part of any organization, or - Part of the same organization as the Organization administrator Impact: - Organization administrators can permanently delete Server administrator accounts - If the only Server administrator is deleted, the Grafana instance becomes unmanageable - No super-user permissions remain in the system - Affects all users, organizations, and teams managed in the instance The vulnerability is particularly serious as it can lead to a complete loss of administrative control over the Grafana instance.
Weaknesses CWE-284
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GRAFANA

Published: 2025-05-23T13:44:45.974Z

Updated: 2025-05-23T14:05:09.480Z

Reserved: 2025-04-14T10:36:24.956Z

Link: CVE-2025-3580

cve-icon Vulnrichment

Updated: 2025-05-23T14:04:57.480Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2025-05-23T14:15:28.740

Modified: 2025-05-23T15:54:42.643

Link: CVE-2025-3580

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-05-23T13:44:45Z

Links: CVE-2025-3580 - Bugzilla