An access control vulnerability was discovered in Grafana OSS where an Organization administrator could permanently delete the Server administrator account. This vulnerability exists in the DELETE /api/org/users/ endpoint. The vulnerability can be exploited when: 1. An Organization administrator exists 2. The Server administrator is either: - Not part of any organization, or - Part of the same organization as the Organization administrator Impact: - Organization administrators can permanently delete Server administrator accounts - If the only Server administrator is deleted, the Grafana instance becomes unmanageable - No super-user permissions remain in the system - Affects all users, organizations, and teams managed in the instance The vulnerability is particularly serious as it can lead to a complete loss of administrative control over the Grafana instance.

According to its self-reported version, the Grafana install hosted on the remote host is earlier than 10.4.19, or 11.2.x earlier than 11.2.10, or 11.3.x earlier than 11.3.7, or 11.4.x earlier than 11.4.5, or 11.5.x earlier than 11.5.5, or 11.6.x earlier than 11.6.2, or 12.0.x earlier than 12.0.1. It is, therefore, affected by a improper access control vulnerability.

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
114810	Grafana 12.0.x < 12.0.1 Improper Access Control	Web App Scanning	Component Vulnerability	medium
114809	Grafana 11.6.x < 11.6.2 Improper Access Control	Web App Scanning	Component Vulnerability	medium
114808	Grafana 11.5.x < 11.5.5 Improper Access Control	Web App Scanning	Component Vulnerability	medium
114807	Grafana 11.4.x < 11.4.5 Improper Access Control	Web App Scanning	Component Vulnerability	medium
114806	Grafana 11.3.x < 11.3.7 Improper Access Control	Web App Scanning	Component Vulnerability	medium
114805	Grafana 11.2.x < 11.2.10 Improper Access Control	Web App Scanning	Component Vulnerability	medium
114804	Grafana < 10.4.19 Improper Access Control	Web App Scanning	Component Vulnerability	medium

Detections

Analytics

CVE-2025-3580

medium

Tenable Plugins

medium

medium

medium

medium

medium

medium

medium