{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-3580", "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "state": "PUBLISHED", "assignerShortName": "GRAFANA", "dateReserved": "2025-04-14T10:36:24.956Z", "datePublished": "2025-05-23T13:44:45.974Z", "dateUpdated": "2025-07-17T10:28:18.011Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Grafana", "vendor": "Grafana", "versions": [{"lessThan": "12.0.1", "status": "affected", "version": "12.0.0", "versionType": "semver"}, {"lessThan": "11.6.2", "status": "affected", "version": "11.6.1", "versionType": "semver"}, {"lessThan": "11.5.5", "status": "affected", "version": "11.5.4", "versionType": "semver"}, {"lessThan": "11.4.5", "status": "affected", "version": "11.4.4", "versionType": "semver"}, {"lessThan": "11.3.7", "status": "affected", "version": "11.3.6", "versionType": "semver"}, {"lessThan": "11.2.10", "status": "affected", "version": "11.2.9", "versionType": "semver"}, {"lessThan": "10.4.19", "status": "affected", "version": "10.4.18", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Saket Pandey"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>An access control vulnerability was discovered in Grafana OSS where an Organization administrator could permanently delete the Server administrator account. This vulnerability exists in the DELETE /api/org/users/ endpoint.</p><p>The vulnerability can be exploited when:</p><p>1. An Organization administrator exists</p><p>2. The Server administrator is either:</p><code> - Not part of any organization, or</code><br><code> - Part of the same organization as the Organization administrator</code><br><p>Impact:</p><p>- Organization administrators can permanently delete Server administrator accounts</p><p>- If the only Server administrator is deleted, the Grafana instance becomes unmanageable</p><p>- No super-user permissions remain in the system</p><p>- Affects all users, organizations, and teams managed in the instance</p><p>The vulnerability is particularly serious as it can lead to a complete loss of administrative control over the Grafana instance.</p>"}], "value": "An access control vulnerability was discovered in Grafana OSS where an Organization administrator could permanently delete the Server administrator account. This vulnerability exists in the DELETE /api/org/users/ endpoint.\n\nThe vulnerability can be exploited when:\n\n1. An Organization administrator exists\n\n2. The Server administrator is either:\n\n - Not part of any organization, or\n - Part of the same organization as the Organization administrator\nImpact:\n\n- Organization administrators can permanently delete Server administrator accounts\n\n- If the only Server administrator is deleted, the Grafana instance becomes unmanageable\n\n- No super-user permissions remain in the system\n\n- Affects all users, organizations, and teams managed in the instance\n\nThe vulnerability is particularly serious as it can lead to a complete loss of administrative control over the Grafana instance."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "CAPEC-180"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "description": "CWE-284", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "shortName": "GRAFANA", "dateUpdated": "2025-07-17T10:28:18.011Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://grafana.com/security/security-advisories/cve-2025-3580/"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-23T14:04:27.385036Z", "id": "CVE-2025-3580", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-23T14:05:09.480Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-3580", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-23T14:04:27.385036Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-23T14:04:57.480Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Saket Pandey"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "CAPEC-180"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Grafana", "product": "Grafana", "versions": [{"status": "affected", "version": "12.0.0", "lessThan": "12.0.1", "versionType": "semver"}, {"status": "affected", "version": "11.6.1", "lessThan": "11.6.2", "versionType": "semver"}, {"status": "affected", "version": "11.5.4", "lessThan": "11.5.5", "versionType": "semver"}, {"status": "affected", "version": "11.4.4", "lessThan": "11.4.5", "versionType": "semver"}, {"status": "affected", "version": "11.3.6", "lessThan": "11.3.7", "versionType": "semver"}, {"status": "affected", "version": "11.2.9", "lessThan": "11.2.10", "versionType": "semver"}, {"status": "affected", "version": "10.4.18", "lessThan": "10.4.19", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://grafana.com/security/security-advisories/cve-2025-3580/", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "An access control vulnerability was discovered in Grafana OSS where an Organization administrator could permanently delete the Server administrator account. This vulnerability exists in the DELETE /api/org/users/ endpoint.\n\nThe vulnerability can be exploited when:\n\n1. An Organization administrator exists\n\n2. The Server administrator is either:\n\n - Not part of any organization, or\n - Part of the same organization as the Organization administrator\nImpact:\n\n- Organization administrators can permanently delete Server administrator accounts\n\n- If the only Server administrator is deleted, the Grafana instance becomes unmanageable\n\n- No super-user permissions remain in the system\n\n- Affects all users, organizations, and teams managed in the instance\n\nThe vulnerability is particularly serious as it can lead to a complete loss of administrative control over the Grafana instance.", "supportingMedia": [{"type": "text/html", "value": "<p>An access control vulnerability was discovered in Grafana OSS where an Organization administrator could permanently delete the Server administrator account. This vulnerability exists in the DELETE /api/org/users/ endpoint.</p><p>The vulnerability can be exploited when:</p><p>1. An Organization administrator exists</p><p>2. The Server administrator is either:</p><code> - Not part of any organization, or</code><br><code> - Part of the same organization as the Organization administrator</code><br><p>Impact:</p><p>- Organization administrators can permanently delete Server administrator accounts</p><p>- If the only Server administrator is deleted, the Grafana instance becomes unmanageable</p><p>- No super-user permissions remain in the system</p><p>- Affects all users, organizations, and teams managed in the instance</p><p>The vulnerability is particularly serious as it can lead to a complete loss of administrative control over the Grafana instance.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284"}]}], "providerMetadata": {"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "shortName": "GRAFANA", "dateUpdated": "2025-07-17T10:28:18.011Z"}}}, "cveMetadata": {"cveId": "CVE-2025-3580", "state": "PUBLISHED", "dateUpdated": "2025-07-17T10:28:18.011Z", "dateReserved": "2025-04-14T10:36:24.956Z", "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "datePublished": "2025-05-23T13:44:45.974Z", "assignerShortName": "GRAFANA"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An access control vulnerability was discovered in Grafana OSS where an Organization administrator could permanently delete the Server administrator account. This vulnerability exists in the DELETE /api/org/users/ endpoint.\n\nThe vulnerability can be exploited when:\n\n1. An Organization administrator exists\n\n2. The Server administrator is either:\n\n - Not part of any organization, or\n - Part of the same organization as the Organization administrator\nImpact:\n\n- Organization administrators can permanently delete Server administrator accounts\n\n- If the only Server administrator is deleted, the Grafana instance becomes unmanageable\n\n- No super-user permissions remain in the system\n\n- Affects all users, organizations, and teams managed in the instance\n\nThe vulnerability is particularly serious as it can lead to a complete loss of administrative control over the Grafana instance."}, {"lang": "es", "value": "Se descubri\u00f3 una vulnerabilidad de control de acceso en Grafana OSS donde un administrador de la organizaci\u00f3n podr\u00eda eliminar permanentemente la cuenta del administrador del servidor. Esta vulnerabilidad existe en el endpoint DELETE /api/org/users/. La vulnerabilidad se puede explotar cuando: 1. Existe un administrador de la organizaci\u00f3n 2. El administrador del servidor es: - No forma parte de ninguna organizaci\u00f3n, o - Forma parte de la misma organizaci\u00f3n que el administrador de la organizaci\u00f3n Impacto: - Los administradores de la organizaci\u00f3n pueden eliminar permanentemente las cuentas del administrador del servidor - Si se elimina el \u00fanico administrador del servidor, la instancia de Grafana se vuelve inadministrable - No quedan permisos de superusuario en el sistema - Afecta a todos los usuarios, organizaciones y equipos administrados en la instancia La vulnerabilidad es particularmente grave, ya que puede llevar a una p\u00e9rdida total del control administrativo sobre la instancia de Grafana."}], "id": "CVE-2025-3580", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 4.2, "source": "security@grafana.com", "type": "Secondary"}]}, "published": "2025-05-23T14:15:28.740", "references": [{"source": "security@grafana.com", "url": "https://grafana.com/security/security-advisories/cve-2025-3580/"}], "sourceIdentifier": "security@grafana.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "security@grafana.com", "type": "Secondary"}]}

{"bugzilla": {"description": "grafana: Improper access control in the /api/org/users/ API endpoint", "id": "2368257", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2368257"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H", "status": "draft"}, "cwe": "CWE-284", "details": ["An access control vulnerability was discovered in Grafana OSS where an Organization administrator could permanently delete the Server administrator account. This vulnerability exists in the DELETE /api/org/users/ endpoint.\nThe vulnerability can be exploited when:\n1. An Organization administrator exists\n2. The Server administrator is either:\n- Not part of any organization, or\n- Part of the same organization as the Organization administrator\nImpact:\n- Organization administrators can permanently delete Server administrator accounts\n- If the only Server administrator is deleted, the Grafana instance becomes unmanageable\n- No super-user permissions remain in the system\n- Affects all users, organizations, and teams managed in the instance\nThe vulnerability is particularly serious as it can lead to a complete loss of administrative control over the Grafana instance.", "A flaw was found in Grafana. An improper access control issue at the /api/org/users/ API endpoint allows an Organization administrator to permanently delete a Server administrator account, leading to a complete loss of administrative control."], "name": "CVE-2025-3580", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-05-23T13:44:45Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-3580\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-3580\nhttps://grafana.com/security/security-advisories/cve-2025-3580/"], "threat_severity": "Moderate"}

{"created": "2025-06-24T09:44:20.206784+00:00", "updated": "2025-06-24T09:44:20.206833+00:00", "vendors": ["grafana", "grafana$PRODUCT$grafana"]}