CVE-2025-3580Improper Access Control in Grafana

CWE-284Improper Access ControlCWE-20Improper Input Validation8 documents7 sources
Severity
5.5MEDIUMNVD
EPSS
0.1%
top 73.26%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Grafana
Timeline
PublishedMay 23

Description

An access control vulnerability was discovered in Grafana OSS where an Organization administrator could permanently delete the Server administrator account. This vulnerability exists in the DELETE /api/org/users/ endpoint. The vulnerability can be exploited when: 1. An Organization administrator exists 2. The Server administrator is either: - Not part of any organization, or - Part of the same organization as the Organization administrator Impact: - Organization administrators can permanent

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:HExploitability: 1.2 | Impact: 4.2

Affected Packages1 packages

CVEListV5grafana/grafana12.0.012.0.1+6

🔴Vulnerability Details

3
OSV
CVE-2025-3580: An access control vulnerability was discovered in Grafana OSS where an Organization administrator could permanently delete the Server administrator ac2025-05-23
CVEList
CVE-2025-3580: An access control vulnerability was discovered in Grafana OSS where an Organization administrator could permanently delete the Server administrator ac2025-05-23
GHSA
GHSA-gcjf-8x3p-64v2: An access control vulnerability was discovered in Grafana OSS where an Organization administrator could permanently delete the Server administrator ac2025-05-23

📋Vendor Advisories

2
Red Hat
grafana: Improper access control in the /api/org/users/ API endpoint2025-05-23
Microsoft
A flaw was found in the way nettle's RSA decryption functions handled specially crafted ciphertext. An attacker could use this flaw to provide a manipulated ciphertext leading to application crash and2021-08-10
CVE-2025-3580 — Improper Access Control in Grafana | cvebase