Main Vulnerability Database Vulnerabilities #VU109851

Improper access control in Grafana - CVE-2025-3580

Published: May 27, 2025

Vulnerability identifier: #VU109851

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2025-3580

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Grafana Labs

Affected software:
Grafana

Detailed vulnerability description

The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions in Grafana OSS. An organization administrator can permanently delete the Server administrator account via HTTP DELETE request to the "/api/org/users/" endpoint.

How to mitigate CVE-2025-3580

Install updates from vendor's website.

Sources

https://grafana.com/security/security-advisories/cve-2025-3580/

Improper access control in Grafana - CVE-2025-3580

Detailed vulnerability description

How to mitigate CVE-2025-3580

Sources

Please verify you're human