Organization admin can delete server admin in Grafana
Medium
| Advisory ID: | CVE-2025-3580 |
| Published: | 2025-05-22 |
| Product: | Grafana |
| CVSS Score: | 5.5 |
| CVSS Vector: | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H |
| Fixed Versions: | >=10.4.19 >=11.2.10 >=11.3.7 >=11.4.5 >=11.5.5 >=11.6.2 >=12.0.1 |
Summary
An access control vulnerability was discovered in Grafana where an Organization administrator could permanently delete the Server administrator account. This vulnerability exists in the DELETE /api/org/users/ endpoint.
The vulnerability can be exploited when:
- An Organization administrator exists
- The Server administrator is either:
- Not part of any organization, or
- Part of the same organization as the Organization administrator
Impact:
- Organization administrators can permanently delete Server administrator accounts
- If the only Server administrator is deleted, the Grafana instance becomes unmanageable
- No super-user permissions remain in the system
- Affects all users, organizations, and teams managed in the instance
This vulnerability is fixed in v10.4.19, v11.2.10, v11.3.7, v11.4.5, v11.5.5, v11.6.2, and v12.0.1