Saket Pandey

**Name of the Vulnerable Software and Affected Versions** Grafana OSS (affected versions not specified) **Description** An access control issue was discovered where an Organization administrator could permanently delete the Server administrator account through the "DELETE /api/org/users/" endpoint. This can be exploited when an Organization administrator exists and the Server administrator is either not part of any organization or is part of the same organization as the Organization administrator. The impact includes the ability for Organization administrators to permanently delete Server administrator accounts, potentially leading to a complete loss of administrative control over the Grafana instance if the only Server administrator is deleted. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.