CVE-2026-22640
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-15

Last updated on: 2026-01-15

Assigner: SICK AG

Description
An access control vulnerability was discovered in Grafana OSS where an Organization administrator could permanently delete the Server administrator account. This vulnerability exists in the DELETE /api/org/users/ endpoint. The vulnerability can be exploited when: 1. An Organization administrator exists 2. The Server administrator is either: - Not part of any organization, or - Part of the same organization as the Organization administrator Impact: - Organization administrators can permanently delete Server administrator accounts - If the only Server administrator is deleted, the Grafana instance becomes unmanageable - No super-user permissions remain in the system - Affects all users, organizations, and teams managed in the instance The vulnerability is particularly serious as it can lead to a complete loss of administrative control over the Grafana instance.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-15
Last Modified
2026-01-15
Generated
2026-06-16
AI Q&A
2026-01-16
EPSS Evaluated
2026-01-22
NVD
CVE-2026-22640
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
grafana grafana From 11.5.0 (exc)
grafana grafana From 12.0.2 (inc)
grafana grafana From 11.6.3 (inc)
grafana grafana From 11.5.6 (inc)
grafana grafana From 11.4.6 (inc)
grafana grafana From 11.3.8 (inc)
sick sick_incoming_goods_suite From 1.2.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an access control flaw in Grafana OSS where an Organization administrator can permanently delete the Server administrator account using the DELETE /api/org/users/ endpoint. It can be exploited if an Organization administrator exists and the Server administrator is either not part of any organization or part of the same organization as the Organization administrator. This leads to the potential removal of the only Server administrator, making the Grafana instance unmanageable and resulting in a complete loss of administrative control.

Mitigation Strategies

To mitigate this vulnerability, immediate steps include restricting the privileges of Organization administrators to prevent unauthorized deletion of Server administrator accounts, ensuring that Server administrators are part of organizations to avoid exposure, and implementing strict access controls and network segmentation to limit attack vectors. Additionally, monitoring and controlling access to the DELETE /api/org/users/ endpoint is critical. Following best cybersecurity practices such as those outlined in SICK's Operating Guidelines, including network segmentation, use of firewalls, and access control measures, will help reduce risk. Contacting SICK PSIRT for any available patches or advisories and applying them promptly is also recommended. [5]

Impact Analysis

The impact of this vulnerability is severe: Organization administrators can delete Server administrator accounts permanently. If the only Server administrator is deleted, the Grafana instance becomes unmanageable because no super-user permissions remain. This affects all users, organizations, and teams managed within the instance, potentially causing a total loss of administrative control over the system.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22640. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart