CVE-2025-3580 Information
Description
An access control vulnerability was discovered in Grafana OSS where an Organization administrator could permanently delete the Server administrator account. This vulnerability exists in the DELETE /api/org/users/ endpoint.
The vulnerability can be exploited when:
-
An Organization administrator exists
-
The Server administrator is either:
- Not part of any organization or
- Part of the same organization as the Organization administrator Impact:
-
Organization administrators can permanently delete Server administrator accounts
-
If the only Server administrator is deleted the Grafana instance becomes unmanageable
-
No super-user permissions remain in the system
-
Affects all users organizations and teams managed in the instance
The vulnerability is particularly serious as it can lead to a complete loss of administrative control over the Grafana instance.
Reference
https://grafana.com/security/security-advisories/cve-2025-3580/
Share on: