FreeBSD: VID-ee046f5d-37a8-11f0-baaa-6c3be5272acd (CVE-2025-3580): Grafana -- User deletion issue

Grafana Labs reports: On April 15, we discovered a vulnerability that stems from the user deletion logic associated with organization administrators. An organization admin could remove any user from the specific organization they manage. Additionally, they have the power to delete users entirely from the system if they have no other org membership. This leads to two situations: They can delete a server admin if the organization the Organization Admin manages is the server admin’s final organizational membership. They can delete any user (regardless of whether they are a server admin or not) if that user currently belongs to no organizations. These two situations allow an organization manager to disrupt instance-wide activity by continually deleting server administrators if there is only one organization or if the server administrators are not part of any organization. The CVSS score for this vulnerability is 5.5 Medium.