- Description
- An access control vulnerability was discovered in Grafana OSS where an Organization administrator could permanently delete the Server administrator account. This vulnerability exists in the DELETE /api/org/users/ endpoint. The vulnerability can be exploited when: 1. An Organization administrator exists 2. The Server administrator is either: - Not part of any organization, or - Part of the same organization as the Organization administrator Impact: - Organization administrators can permanently delete Server administrator accounts - If the only Server administrator is deleted, the Grafana instance becomes unmanageable - No super-user permissions remain in the system - Affects all users, organizations, and teams managed in the instance The vulnerability is particularly serious as it can lead to a complete loss of administrative control over the Grafana instance.
- Source
- security@grafana.com
- NVD status
- Awaiting Analysis
CVSS 3.1
- Type
- Secondary
- Base score
- 5.5
- Impact score
- 4.2
- Exploitability score
- 1.2
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H
- Severity
- MEDIUM
- security@grafana.com
- CWE-284
- Hype score
- Not currently trending
CVE-2025-3580 An access control vulnerability was discovered in Grafana OSS where an Organization administrator could permanently delete the Server administrator account. This vulner… https://t.co/87mq4Ov2rs
@CVEnew
24 May 2025
185 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-3580 Grafana OSS Privilege Escalation via Unauthorized Server Administrator Account Deletion https://t.co/vZfrhBWnka
@VulmonFeeds
24 May 2025
56 Impressions
0 Retweets
0 Likes
1 Bookmark
0 Replies
0 Quotes