CVE-2025-3580
Description
An access control vulnerability was discovered in Grafana OSS where an Organization administrator could permanently delete the Server administrator account. This vulnerability exists in the DELETE /api/org/users/ endpoint. The vulnerability can be exploited when: 1. An Organization administrator exists 2. The Server administrator is either: - Not part of any organization, or - Part of the same organization as the Organization administrator Impact: - Organization administrators can permanently delete Server administrator accounts - If the only Server administrator is deleted, the Grafana instance becomes unmanageable - No super-user permissions remain in the system - Affects all users, organizations, and teams managed in the instance The vulnerability is particularly serious as it can lead to a complete loss of administrative control over the Grafana instance.
How to fix CVE-2025-3580
To remediate CVE-2025-3580, upgrade the affected package to a fixed version below.
- —upgrade to 10.4.19 or later
Is CVE-2025-3580 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 10.4.18, < 10.4.19, >= 11.2.9, < 11.2.10, >= 11.3.6, < 11.3.7, >= 11.4.4, < 11.4.5, >= 11.5.4, < 11.5.5, >= 11.6.1, < 11.6.2, >= 12.0.0, < 12.0.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.5 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H |