BIT-grafana-2025-3580

See a problem?
Import Source
https://github.com/bitnami/vulndb/tree/main/data/grafana/BIT-grafana-2025-3580.json
JSON Data
https://api.osv.dev/v1/vulns/BIT-grafana-2025-3580
Aliases
  • CVE-2025-3580
Published
2025-05-28T11:44:30.552Z
Modified
2025-05-28T12:27:15.590287Z
Summary
[none]
Details

An access control vulnerability was discovered in Grafana OSS where an Organization administrator could permanently delete the Server administrator account. This vulnerability exists in the DELETE /api/org/users/ endpoint.

The vulnerability can be exploited when:

  1. An Organization administrator exists

  2. The Server administrator is either:

    • Not part of any organization, or
    • Part of the same organization as the Organization administrator Impact:

  • Organization administrators can permanently delete Server administrator accounts

  • If the only Server administrator is deleted, the Grafana instance becomes unmanageable

  • No super-user permissions remain in the system

  • Affects all users, organizations, and teams managed in the instance

The vulnerability is particularly serious as it can lead to a complete loss of administrative control over the Grafana instance.

Database specific 
{
    "severity": "Medium",
    "cpes": [
        "cpe:2.3:a:grafana:grafana:*:*:*:*:*:go:*:*"
    ]
}
References

Affected packages

Bitnami / grafana

Package

Name
grafana
Purl
pkg:bitnami/grafana

Severity

  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H CVSS Calculator

Affected ranges

Type
SEMVER
Events
Introduced
10.4.18
Fixed
10.4.19
Introduced
11.2.9
Fixed
11.3.0
Introduced
11.3.6
Fixed
11.4.0
Introduced
11.4.4
Fixed
11.5.0
Introduced
11.5.4
Fixed
11.6.0
Introduced
11.6.1
Fixed
11.6.2
Introduced
12.0.0
Fixed
12.0.1