Home Embedded Vulns General Vulns

CVE-2025-3580

MEDIUM 5.5

Our Analysis: General-Purpose

Our model has classified this vulnerability as relevant to General-Purpose Systems, helping your team prioritize efforts effectively.

Published Date May 23, 2025
Last Modified May 23, 2025
CVSS Vector CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H

Description

An access control vulnerability was discovered in Grafana OSS where an Organization administrator could permanently delete the Server administrator account. This vulnerability exists in the DELETE /api/org/users/ endpoint.

The vulnerability can be exploited when:

1. An Organization administrator exists

2. The Server administrator is either:

- Not part of any organization, or
- Part of the same organization as the Organization administrator
Impact:

- Organization administrators can permanently delete Server administrator accounts

- If the only Server administrator is deleted, the Grafana instance becomes unmanageable

- No super-user permissions remain in the system

- Affects all users, organizations, and teams managed in the instance

The vulnerability is particularly serious as it can lead to a complete loss of administrative control over the Grafana instance.