PT-2025-22699 · Grafana+3 · Grafana Oss+3
Saket Pandey
·
Published
2025-05-22
·
Updated
2025-08-29
·
CVE-2025-3580
CVSS v2.0
9.0
High
| Vector | AV:N/AC:L/Au:S/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
Grafana OSS (affected versions not specified)
Description
An access control issue was discovered where an Organization administrator could permanently delete the Server administrator account through the "DELETE /api/org/users/" endpoint. This can be exploited when an Organization administrator exists and the Server administrator is either not part of any organization or is part of the same organization as the Organization administrator. The impact includes the ability for Organization administrators to permanently delete Server administrator accounts, potentially leading to a complete loss of administrative control over the Grafana instance if the only Server administrator is deleted.
Recommendations
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Improper Access Control
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Grafana Oss
Red Os
Suse