CVE-2025-3580

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.2 / Impact : 4.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact HIGH

Scope UNCHANGED

A

n access control vulnerability was discovered in Grafana OSS where an Organization administrator could permanently delete the Server administrator account. This vulnerability exists in the DELETE /api/org/users/ endpoint. The vulnerability can be exploited when: 1. An Organization administrator exists 2. The Server administrator is either: - Not part of any organization, or - Part of the same organization as the Organization administrator Impact: - Organization administrators can permanently delete Server administrator accounts - If the only Server administrator is deleted, the Grafana instance becomes unmanageable - No super-user permissions remain in the system - Affects all users, organizations, and teams managed in the instance The vulnerability is particularly serious as it can lead to a complete loss of administrative control over the Grafana instance.

References

Link	Resource
https://grafana.com/security/security-advisories/cve-2025-3580/

Configurations

No configuration.

History

23 May 2025, 15:54

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-23 14:15

Updated : 2025-05-23 15:54

NVD link : CVE-2025-3580

Mitre link : CVE-2025-3580

CVE.ORG link : CVE-2025-3580

JSON object : View

Products Affected

No product.

CWE

CWE-284

Improper Access Control

{"id": "CVE-2025-3580", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}, "impactScore": 4.2, "exploitabilityScore": 1.2}]}, "published": "2025-05-23T14:15:28.740", "references": [{"url": "https://grafana.com/security/security-advisories/cve-2025-3580/", "source": "[email protected]"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-284"}]}], "descriptions": [{"lang": "en", "value": "An access control vulnerability was discovered in Grafana OSS where an Organization administrator could permanently delete the Server administrator account. This vulnerability exists in the DELETE /api/org/users/ endpoint.\n\nThe vulnerability can be exploited when:\n\n1. An Organization administrator exists\n\n2. The Server administrator is either:\n\n - Not part of any organization, or\n - Part of the same organization as the Organization administrator\nImpact:\n\n- Organization administrators can permanently delete Server administrator accounts\n\n- If the only Server administrator is deleted, the Grafana instance becomes unmanageable\n\n- No super-user permissions remain in the system\n\n- Affects all users, organizations, and teams managed in the instance\n\nThe vulnerability is particularly serious as it can lead to a complete loss of administrative control over the Grafana instance."}, {"lang": "es", "value": "Se descubri\u00f3 una vulnerabilidad de control de acceso en Grafana OSS donde un administrador de la organizaci\u00f3n podr\u00eda eliminar permanentemente la cuenta del administrador del servidor. Esta vulnerabilidad existe en el endpoint DELETE /api/org/users/. La vulnerabilidad se puede explotar cuando: 1. Existe un administrador de la organizaci\u00f3n 2. El administrador del servidor es: - No forma parte de ninguna organizaci\u00f3n, o - Forma parte de la misma organizaci\u00f3n que el administrador de la organizaci\u00f3n Impacto: - Los administradores de la organizaci\u00f3n pueden eliminar permanentemente las cuentas del administrador del servidor - Si se elimina el \u00fanico administrador del servidor, la instancia de Grafana se vuelve inadministrable - No quedan permisos de superusuario en el sistema - Afecta a todos los usuarios, organizaciones y equipos administrados en la instancia La vulnerabilidad es particularmente grave, ya que puede llevar a una p\u00e9rdida total del control administrativo sobre la instancia de Grafana."}], "lastModified": "2025-05-23T15:54:42.643", "sourceIdentifier": "[email protected]"}