CVE-2025-3580
MEDIUM5.5EPSS 0.10%Description
An access control vulnerability was discovered in Grafana OSS where an Organization administrator could permanently delete the Server administrator account. This vulnerability exists in the DELETE /api/org/users/ endpoint. The vulnerability can be exploited when: 1. An Organization administrator exists 2. The Server administrator is either: - Not part of any organization, or - Part of the same organization as the Organization administrator Impact: - Organization administrators can permanently delete Server administrator accounts - If the only Server administrator is deleted, the Grafana instance becomes unmanageable - No super-user permissions remain in the system - Affects all users, organizations, and teams managed in the instance The vulnerability is particularly serious as it can lead to a complete loss of administrative control over the Grafana instance.
Affected packages (1)
- Bitnami/grafana>= 10.4.18, < 10.4.19, >= 11.2.9, < 11.2.10, >= 11.3.6, < 11.3.7, >= 11.4.4, < 11.4.5, >= 11.5.4, < 11.5.5, >= 11.6.1, < 11.6.2, >= 12.0.0, < 12.0.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.5 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H |