5.5

CVE-2025-3580

An access control vulnerability was discovered in Grafana OSS where an Organization administrator could permanently delete the Server administrator account. This vulnerability exists in the DELETE /api/org/users/ endpoint.

The vulnerability can be exploited when:

1. An Organization administrator exists

2. The Server administrator is either:

   - Not part of any organization, or
   - Part of the same organization as the Organization administrator
Impact:

- Organization administrators can permanently delete Server administrator accounts

- If the only Server administrator is deleted, the Grafana instance becomes unmanageable

- No super-user permissions remain in the system

- Affects all users, organizations, and teams managed in the instance

The vulnerability is particularly serious as it can lead to a complete loss of administrative control over the Grafana instance.

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
This information is available to logged-in users.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
VendorGrafana
Product Grafana
Default Statusunaffected
Version < 12.0.1
Version 12.0.0
Status affected
Version < 11.6.2
Version 11.6.1
Status affected
Version < 11.5.5
Version 11.5.4
Status affected
Version < 11.4.5
Version 11.4.4
Status affected
Version < 11.3.7
Version 11.3.6
Status affected
Version < 11.2.10
Version 11.2.9
Status affected
Version < 10.4.19
Version 10.4.18
Status affected
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 0.02% 0.03
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
security@grafana.com 5.5 1.2 4.2
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H
CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.