Organization admin can delete server admin in Grafana

Medium
Advisory ID:CVE-2025-3580
Published:2025-05-22
Product:Grafana
CVSS Score:5.5
CVSS Vector:CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H
Fixed Versions:
>=10.4.19
>=11.2.10
>=11.3.7
>=11.4.5
>=11.5.5
>=11.6.2
>=12.0.1

Summary

An access control vulnerability was discovered in Grafana where an Organization administrator could permanently delete the Server administrator account. This vulnerability exists in the DELETE /api/org/users/ endpoint.

The vulnerability can be exploited when:

  1. An Organization administrator exists
  2. The Server administrator is either:
  • Not part of any organization, or
  • Part of the same organization as the Organization administrator

Impact:

  • Organization administrators can permanently delete Server administrator accounts
  • If the only Server administrator is deleted, the Grafana instance becomes unmanageable
  • No super-user permissions remain in the system
  • Affects all users, organizations, and teams managed in the instance

This vulnerability is fixed in v10.4.19, v11.2.10, v11.3.7, v11.4.5, v11.5.5, v11.6.2, and v12.0.1