CVE-2025-3580
An access control vulnerability was discovered in Grafana OSS where an Organization administrator could permanently delete the Server administrator account. This vulnerability exists in the DELETE /api/org/users/ endpoint. The vulnerability can be exploited when: 1. An Organization administrator exists 2. The Server administrator is either: - Not part of any organization, or - Part of the same organization as the Organization administrator Impact: - Organization administrators can permanently delete Server administrator accounts - If the only Server administrator is deleted, the Grafana instance becomes unmanageable - No super-user permissions remain in the system - Affects all users, organizations, and teams managed in the instance The vulnerability is particularly serious as it can lead to a complete loss of administrative control over the Grafana instance.
EPSS 0.10% · 26.7th percentile
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Bitnami | grafana | 11.3.6, 11.2.9, 11.4.4 |
| Bitnami | grafana | 10.4.18, 11.2.9, 11.3.6 |
Timeline
- CVE Published
- May 24, 2025 EPSS Score
- May 31, 2025 Coalition ESS Score
- Jun 4, 2025 EPSS Score
- Jun 15, 2025 EPSS Score
- Jun 26, 2025 EPSS Score
- Jul 7, 2025 EPSS Score
- Jul 18, 2025 EPSS Score
- Jul 29, 2025 EPSS Score
- Aug 9, 2025 EPSS Score
- Aug 20, 2025 EPSS Score
- Aug 22, 2025 Coalition ESS Score