CVE-2025-3580

Name
CVE-2025-3580
Description
An access control vulnerability was discovered in Grafana OSS where an Organization administrator could permanently delete the Server administrator account. This vulnerability exists in the DELETE /api/org/users/ endpoint. The vulnerability can be exploited when: 1. An Organization administrator exists 2. The Server administrator is either: - Not part of any organization, or - Part of the same organization as the Organization administrator Impact: - Organization administrators can permanently delete Server administrator accounts - If the only Server administrator is deleted, the Grafana instance becomes unmanageable - No super-user permissions remain in the system - Affects all users, organizations, and teams managed in the instance The vulnerability is particularly serious as it can lead to a complete loss of administrative control over the Grafana instance.
NVD Severity
medium
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
security@grafana.com https://grafana.com/security/security-advisories/cve-2025-3580/

Match rules

CPE URI Source package Min version Max version
grafana >= 12.0.0 < 12.0.1
grafana >= 11.6.1 < 11.6.2
grafana >= 11.5.4 < 11.5.5
grafana >= 11.4.4 < 11.4.5
grafana >= 11.3.6 < 11.3.7
grafana >= 11.2.9 < 11.2.10
grafana >= 10.4.18 < 10.4.19

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
grafana edge-community 12.0.0-r0 Konstantin Kulikov <k.kulikov2@gmail.com> possibly vulnerable
grafana 3.22-community 12.0.0-r3 Konstantin Kulikov <k.kulikov2@gmail.com> possibly vulnerable
grafana 3.22-community 12.0.0-r2 Konstantin Kulikov <k.kulikov2@gmail.com> possibly vulnerable
grafana 3.22-community 12.0.0-r1 Konstantin Kulikov <k.kulikov2@gmail.com> possibly vulnerable