CVE-2025-3580

An access control vulnerability was discovered in Grafana OSS where an Organization administrator could permanently delete the Server administrator account. This vulnerability exists in the DELETE /api/org/users/ endpoint.<br /> <br /> The vulnerability can be exploited when:<br /> <br /> 1. An Organization administrator exists<br /> <br /> 2. The Server administrator is either:<br /> <br /> - Not part of any organization, or<br /> - Part of the same organization as the Organization administrator<br /> Impact:<br /> <br /> - Organization administrators can permanently delete Server administrator accounts<br /> <br /> - If the only Server administrator is deleted, the Grafana instance becomes unmanageable<br /> <br /> - No super-user permissions remain in the system<br /> <br /> - Affects all users, organizations, and teams managed in the instance<br /> <br /> The vulnerability is particularly serious as it can lead to a complete loss of administrative control over the Grafana instance.