An access control vulnerability was discovered in Grafana OSS where an Organization administrator could permanently delete the Server administrator account. This vulnerability exists in the DELETE /api/org/users/ endpoint. The vulnerability can be exploited when: An Organization administrator exists The Server administrator is either: Not part of any organization, or Part of the same organization as the Organization administrator Impact: Organization administrators can permanently delete Server administrator accounts If the only Server administrator is deleted, the Grafana instance becomes unmanageable No super-user permissions remain in the system Affects all users, organizations, and teams managed in the instance The vulnerability is particularly serious as it can lead to a complete loss of administrative control over the Grafana…Read More