Organization admin can delete server admin in Grafana

Issue Details: CVE-2025-3580

Date Published: May 22, 2025

Description:

An access control vulnerability was discovered in Grafana OSS where an Organization administrator could permanently delete the Server administrator account. This vulnerability exists in the DELETE /api/org/users/ endpoint.

The vulnerability can be exploited when:

  1. An Organization administrator exists
  2. The Server administrator is either:
  • Not part of any organization, or
  • Part of the same organization as the Organization administrator

Impact:

  • Organization administrators can permanently delete Server administrator accounts
  • If the only Server administrator is deleted, the Grafana instance becomes unmanageable
  • No super-user permissions remain in the system
  • Affects all users, organizations, and teams managed in the instance

This vulnerability is fixed in v10.4.19, v11.2.10, v11.3.7, v11.4.5, v11.5.5, v11.6.2, and v12.0.1