Grafana OSS Access Control Vulnerability Allowing Deletion of Server Administrator Accounts

A vulnerability in Grafana OSS allows Organization administrators to permanently delete Server administrator accounts. This issue arises in the DELETE /api/org/users/ endpoint and can be exploited if an Organization administrator exists and the Server administrator is either not part of any organization or is part of the same organization as the Organization administrator. The impact of this vulnerability is significant, as it can lead to a complete loss of administrative control over the Grafana instance, making it unmanageable, especially if the deleted Server administrator was the only one available.

Impact

Exploitation of this vulnerability allows Organization administrators to permanently delete Server administrator accounts. If the only Server administrator is removed, the Grafana instance becomes unmanageable, lacking any super-user permissions, and this issue affects all users, organizations, and teams managed within the instance.

Remediation

This vulnerability has been fixed in Grafana versions 10.4.19, 11.2.10, 11.3.7, 11.4.5, 11.5.5, 11.6.2, and 12.0.1.