CVE-2025-3580

23.05.2025, 14:15

An access control vulnerability was discovered in Grafana OSS where an Organization administrator could permanently delete the Server administrator account. This vulnerability exists in the DELETE /api/org/users/ endpoint.

The vulnerability can be exploited when:

1. An Organization administrator exists

2. The Server administrator is either:

   - Not part of any organization, or
   - Part of the same organization as the Organization administrator
Impact:

- Organization administrators can permanently delete Server administrator accounts

- If the only Server administrator is deleted, the Grafana instance becomes unmanageable

- No super-user permissions remain in the system

- Affects all users, organizations, and teams managed in the instance

The vulnerability is particularly serious as it can lead to a complete loss of administrative control over the Grafana instance.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	5.5 MEDIUM	NETWORK	LOW	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H
GRAFANA	CNA	5.5 MEDIUM	NETWORK	LOW	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H
CISA-ADP	ADP	---				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 9%

Common Weakness Enumeration

CWE-284 - Improper Access Control
The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

References

https://grafana.com/security/security-advisories/cve-2025-3580/