CVE-2025-3580: 
Grafana vulnerability analysis and mitigation

CVE-2025-3580 is an access control vulnerability discovered in Grafana OSS that allows Organization administrators to permanently delete Server administrator accounts through the DELETE /api/org/users/ endpoint. The vulnerability was disclosed on May 22, 2025, affecting Grafana OSS installations where specific conditions are met regarding Organization administrator and Server administrator relationships (Grafana Advisory).

The vulnerability exists in the DELETE /api/org/users/ endpoint and can be exploited under two specific conditions: 1) When an Organization administrator exists, and 2) When the Server administrator is either not part of any organization or is part of the same organization as the Organization administrator. The vulnerability has been assigned a CVSS 3.1 Base Score of 5.5 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H and is categorized under CWE-284 (Improper Access Control) (NVD).

The vulnerability has severe implications for Grafana instances: Organization administrators can permanently delete Server administrator accounts, potentially leading to a complete loss of administrative control over the Grafana instance if the only Server administrator is deleted. This results in no remaining super-user permissions in the system and affects all users, organizations, and teams managed in the instance (Grafana Advisory).

The vulnerability has been patched in multiple Grafana versions including v10.4.19, v11.2.10, v11.3.7, v11.4.5, v11.5.5, v11.6.2, and v12.0.1. Users are advised to upgrade to these patched versions to mitigate the vulnerability (Grafana Advisory).