5.5
/ 10
MEDIUM
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H
Description
An access control vulnerability was discovered in Grafana OSS where an Organization administrator could permanently delete the Server administrator account. This vulnerability exists in the DELETE /api/org/users/ endpoint. The vulnerability can be exploited when: 1. An Organization administrator exists 2. The Server administrator is either: - Not part of any organization, or - Part of the same organization as the Organization administrator Impact: - Organization administrators can permanently delete Server administrator accounts - If the only Server administrator is deleted, the Grafana instance becomes unmanageable - No super-user permissions remain in the system - Affects all users, organizations, and teams managed in the instance The vulnerability is particularly serious as it can lead to a complete loss of administrative control over the Grafana instance.
Basic Information
ID
CVE-2026-22640
Source
SICK AG
Published
Jan 15, 2026 at 13:12
Affected Product
Vendor
SICK AG
Product
Incoming Goods Suite
Affected Versions
SICK AG Incoming Goods Suite 0
CWE Classification
References
- sick.com /psirt
- www.sick.com /media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf
- www.cisa.gov /resources-tools/resources/ics-recommended-practices
- www.first.org /cvss/calculator/3.1
- www.sick.com /.well-known/csaf/white/2026/sca-2026-0002.json
- www.sick.com /.well-known/csaf/white/2026/sca-2026-0002.pdf