Medium severity5.5NVD Advisory· Published May 23, 2025· Updated Jun 17, 2026
CVE-2025-3580
CVE-2025-3580
Description
An access control vulnerability was discovered in Grafana OSS where an Organization administrator could permanently delete the Server administrator account. This vulnerability exists in the DELETE /api/org/users/ endpoint.
The vulnerability can be exploited when:
- An Organization administrator exists
- The Server administrator is either:
- Not part of any organization, or - Part of the same organization as the Organization administrator Impact:
- Organization administrators can permanently delete Server administrator accounts
- If the only Server administrator is deleted, the Grafana instance becomes unmanageable
- No super-user permissions remain in the system
- Affects all users, organizations, and teams managed in the instance
The vulnerability is particularly serious as it can lead to a complete loss of administrative control over the Grafana instance.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
5- osv-coords3 versionspkg:bitnami/grafanapkg:rpm/opensuse/grafana&distro=openSUSE%20Tumbleweedpkg:rpm/suse/release-notes-susemanager&distro=SUSE%20Manager%20Server%204.3
>= 10.4.18, < 10.4.19+ 2 more
- (no CPE)range: >= 10.4.18, < 10.4.19
- (no CPE)range: < 11.6.1+security01-1.1
- (no CPE)range: < 4.3.15.2-150400.3.133.1
Patches
Vulnerability mechanics
References
1News mentions
0No linked articles in our index yet.