CVE-2025-3580

MEDIUM

Grafana 10.4.18-12.0.1 - Authenticated Server Administrator Account Deletion

Title source: llm

Description

An access control vulnerability was discovered in Grafana OSS where an Organization administrator could permanently delete the Server administrator account. This vulnerability exists in the DELETE /api/org/users/ endpoint. The vulnerability can be exploited when: 1. An Organization administrator exists 2. The Server administrator is either: - Not part of any organization, or - Part of the same organization as the Organization administrator Impact: - Organization administrators can permanently delete Server administrator accounts - If the only Server administrator is deleted, the Grafana instance becomes unmanageable - No super-user permissions remain in the system - Affects all users, organizations, and teams managed in the instance The vulnerability is particularly serious as it can lead to a complete loss of administrative control over the Grafana instance.

References (1)

Core 1

Core References

Various Sources vendor-advisory

https://grafana.com/security/security-advisories/cve-2025-3580/

Scores

CVSS v3 5.5

EPSS 0.0038

EPSS Percentile 29.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-284

Status published

Products (7)

Grafana/Grafana 10.4.18 - 10.4.19

Grafana/Grafana 11.2.9 - 11.2.10

Grafana/Grafana 11.3.6 - 11.3.7

Grafana/Grafana 11.4.4 - 11.4.5

Grafana/Grafana 11.5.4 - 11.5.5

Grafana/Grafana 11.6.1 - 11.6.2

Grafana/Grafana 12.0.0 - 12.0.1

Published May 23, 2025

Tracked Since Feb 18, 2026