FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Grafana -- User deletion issue

Affected packages
5.4.0 <= grafana < 10.4.18+security-01
11.0.0 <= grafana < 11.2.9+security-01
11.3.0 <= grafana < 11.3.6+security-01
11.4.0 <= grafana < 11.4.4+security-01
11.5.0 <= grafana < 11.5.4+security-01
11.6.0 <= grafana < 11.6.1+security-01
12.0.0 <= grafana < 12.0.0+security-01
8.0.0 <= grafana8
9.0.0 <= grafana9

Details

VuXML ID ee046f5d-37a8-11f0-baaa-6c3be5272acd
Discovery 2025-04-15
Entry 2025-05-23

Grafana Labs reports:

On April 15, we discovered a vulnerability that stems from the user deletion logic associated with organization administrators. An organization admin could remove any user from the specific organization they manage. Additionally, they have the power to delete users entirely from the system if they have no other org membership. This leads to two situations:

  1. They can delete a server admin if the organization the Organization Admin manages is the server admin’s final organizational membership.
  2. They can delete any user (regardless of whether they are a server admin or not) if that user currently belongs to no organizations.

These two situations allow an organization manager to disrupt instance-wide activity by continually deleting server administrators if there is only one organization or if the server administrators are not part of any organization.

The CVSS score for this vulnerability is 5.5 Medium.

[source]

References

CVE Name CVE-2025-3580
URL https://grafana.com/blog/2025/05/23/grafana-security-release-medium-and-high-severity-security-fixes-for-cve-2025-4123-and-cve-2025-3580/

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.