CVE-2025-3580: 
Grafana vulnerability analysis and mitigation

An access control vulnerability (CVE-2025-3580) was discovered in Grafana OSS, disclosed on May 23, 2025, which allows Organization administrators to permanently delete Server administrator accounts through the DELETE /api/org/users/ endpoint. The vulnerability affects Grafana OSS installations where specific conditions regarding Organization administrator and Server administrator relationships are met (NVD, Grafana Advisory).

The vulnerability exists in the DELETE /api/org/users/ endpoint and can be exploited under two specific conditions: 1) When an Organization administrator exists, and 2) When the Server administrator is either not part of any organization or is part of the same organization as the Organization administrator. The vulnerability has been assigned a CVSS 3.1 Base Score of 5.5 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H and is categorized under CWE-284 (Improper Access Control) (NVD).

The vulnerability has severe implications for Grafana instances: Organization administrators can permanently delete Server administrator accounts, potentially leading to a complete loss of administrative control over the Grafana instance if the only Server administrator is deleted. This results in no remaining super-user permissions in the system and affects all users, organizations, and teams managed in the instance (Grafana Advisory, Wiz).

The vulnerability has been patched in multiple Grafana versions including v10.4.19, v11.2.10, v11.3.7, v11.4.5, v11.5.5, v11.6.2, and v12.0.1. Users are advised to upgrade to these patched versions to mitigate the vulnerability (Grafana Advisory).