CVE-2026-22640

Name of the Vulnerable Software and Affected Versions Grafana OSS (affected versions not specified)

Description An access control issue exists in Grafana OSS that allows an Organization administrator to permanently delete the Server administrator account. This is possible when an Organization administrator exists and the Server administrator is either not part of any organization or is part of the same organization as the Organization administrator. Exploitation occurs through the DELETE /api/org/users/ API endpoint. Successful exploitation results in a complete loss of administrative control over the Grafana instance, as no super-user permissions remain.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.