Bug 2368257 (CVE-2025-3580) - CVE-2025-3580 grafana: Improper access control in the /api/org/users/ API endpoint
Summary: CVE-2025-3580 grafana: Improper access control in the /api/org/users/ API end...
Keywords:
Status: NEW
Alias: CVE-2025-3580
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2368261
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-05-23 14:01 UTC by OSIDB Bzimport
Modified: 2025-05-27 19:51 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-05-23 14:01:18 UTC 
An access control vulnerability was discovered in Grafana OSS where an Organization administrator could permanently delete the Server administrator account. This vulnerability exists in the DELETE /api/org/users/ endpoint.

The vulnerability can be exploited when:

1. An Organization administrator exists

2. The Server administrator is either:

   - Not part of any organization, or
   - Part of the same organization as the Organization administrator
Impact:

- Organization administrators can permanently delete Server administrator accounts

- If the only Server administrator is deleted, the Grafana instance becomes unmanageable

- No super-user permissions remain in the system

- Affects all users, organizations, and teams managed in the instance

The vulnerability is particularly serious as it can lead to a complete loss of administrative control over the Grafana instance.
Note You need to log in before you can comment on or make changes to this bug.