CVE-2025-3580

EUVD-2025-21760

23.05.2025, 14:15

An access control vulnerability was discovered in Grafana OSS where an Organization administrator could permanently delete the Server administrator account. This vulnerability exists in the DELETE /api/org/users/ endpoint.

The vulnerability can be exploited when:

1. An Organization administrator exists

2. The Server administrator is either:

   - Not part of any organization, or
   - Part of the same organization as the Organization administrator
Impact:

- Organization administrators can permanently delete Server administrator accounts

- If the only Server administrator is deleted, the Grafana instance becomes unmanageable

- No super-user permissions remain in the system

- Affects all users, organizations, and teams managed in the instance

The vulnerability is particularly serious as it can lead to a complete loss of administrative control over the Grafana instance.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
GRAFANA	CNA	5.5 MEDIUM	NETWORK	LOW	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
grafana	grafana	12.0.0 ≤ 𝑥 < 12.0.1	CNA
grafana	grafana	11.6.1 ≤ 𝑥 < 11.6.2	CNA
grafana	grafana	11.5.4 ≤ 𝑥 < 11.5.5	CNA
grafana	grafana	11.4.4 ≤ 𝑥 < 11.4.5	CNA
grafana	grafana	11.3.6 ≤ 𝑥 < 11.3.7	CNA
grafana	grafana	11.2.9 ≤ 𝑥 < 11.2.10	CNA
grafana	grafana	10.4.18 ≤ 𝑥 < 10.4.19	CNA

Common Weakness Enumeration

CWE-284 - Improper Access Control
The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

References

https://grafana.com/security/security-advisories/cve-2025-3580/