VYPR
Medium severity5.5NVD Advisory· Published May 23, 2025· Updated Jun 17, 2026

CVE-2025-3580

CVE-2025-3580

Description

An access control vulnerability was discovered in Grafana OSS where an Organization administrator could permanently delete the Server administrator account. This vulnerability exists in the DELETE /api/org/users/ endpoint.

The vulnerability can be exploited when:

  1. An Organization administrator exists
  1. The Server administrator is either:

- Not part of any organization, or - Part of the same organization as the Organization administrator Impact:

  • Organization administrators can permanently delete Server administrator accounts
  • If the only Server administrator is deleted, the Grafana instance becomes unmanageable
  • No super-user permissions remain in the system
  • Affects all users, organizations, and teams managed in the instance

The vulnerability is particularly serious as it can lead to a complete loss of administrative control over the Grafana instance.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

5

Patches

Vulnerability mechanics

References

1

News mentions

0

No linked articles in our index yet.

CVE-2025-3580 · Medium · VYPR