5.5

CVE-2025-3580

An access control vulnerability was discovered in Grafana OSS where an Organization administrator could permanently delete the Server administrator account. This vulnerability exists in the DELETE /api/org/users/ endpoint.

The vulnerability can be exploited when:

1. An Organization administrator exists

2. The Server administrator is either:

   - Not part of any organization, or
   - Part of the same organization as the Organization administrator
Impact:

- Organization administrators can permanently delete Server administrator accounts

- If the only Server administrator is deleted, the Grafana instance becomes unmanageable

- No super-user permissions remain in the system

- Affects all users, organizations, and teams managed in the instance

The vulnerability is particularly serious as it can lead to a complete loss of administrative control over the Grafana instance.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerGrafana
Produkt Grafana
Default Statusunaffected
Version 12.0.0
Version < 12.0.1
Status affected
Version 11.6.1
Version < 11.6.2
Status affected
Version 11.5.4
Version < 11.5.5
Status affected
Version 11.4.4
Version < 11.4.5
Status affected
Version 11.3.6
Version < 11.3.7
Status affected
Version 11.2.9
Version < 11.2.10
Status affected
Version 10.4.18
Version < 10.4.19
Status affected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.1% 0.267
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
security@grafana.com 5.5 1.2 4.2
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H
CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.