Grafana has announced crucial security updates to address a significant vulnerability that could lead to user impersonation and privilege escalation. The flaw, identified as CVE-2025-41115, scores a maximum of 10.0 on the CVSS scale, indicating its severity.
Details of the Vulnerability
This vulnerability resides in the System for Cross-domain Identity Management (SCIM) component, which facilitates automated user provisioning and management. It was first introduced in April 2025 and is currently available in public preview.
Conditions for Exploitation
The vulnerability affects Grafana versions 12.x with SCIM provisioning enabled. Malicious actors could exploit the flaw under specific conditions:
- The enableSCIM feature flag must be set to true.
- The user_sync_enabled configuration option in the [auth.scim] block must also be set to true.
When these conditions are met, compromised SCIM clients can provision users with numeric external IDs. This may override internal user IDs, leading to unauthorized access.
Impact Scope
The vulnerability influences Grafana Enterprise versions ranging from 12.0.0 to 12.2.1. To mitigate risks, users should update to the following secure versions:
- Grafana Enterprise 12.0.6+security-01
- Grafana Enterprise 12.1.3+security-01
- Grafana Enterprise 12.2.1+security-01
- Grafana Enterprise 12.3.0
Discovery and Recommendations
This critical vulnerability was discovered during an internal audit and testing on November 4, 2025. Given its potential severity, Grafana urges all users to apply these patches promptly to safeguard against possible exploitation.
Grafana’s Vardan Torosyan noted that the SCIM external ID is directly mapped to internal user IDs. As such, numeric values can be misconstrued as existing internal accounts, including admin roles, amplifying the risk of impersonation and privilege escalation.
To ensure security, Grafana users must remain vigilant and stay updated with the latest patches and configurations.
