Grafana Patches Critical SCIM Flaw (CVE-2025-41115, CVSS 10) Allowing Privilege Escalation and User Impersonation
Ddos 
Grafana has released emergency security updates for Grafana Enterprise addressing a critical privilege-escalation flaw in its SCIM provisioning feature. Tracked as CVE-2025-41115, the vulnerability carries a maximum CVSS score of 10.0, making it one of the most severe issues ever reported in the Grafana ecosystem.
According to the advisory, the patch is now available in Grafana Enterprise 12.3, as well as backported releases 12.2.1, 12.1.3, and 12.0.6. Grafana Cloud environments have already been secured.
The vulnerability stems from how Grafana Enterprise processes SCIM (System for Cross-domain Identity Management) user identities. SCIM support was added earlier this year to streamline automated lifecycle management for enterprise environments.
However, a flaw in this system allows a malicious or compromised SCIM client to manipulate identity fields in dangerous ways. As Grafana states: “A vulnerability in user identity handling allows a malicious or compromised SCIM client to provision a user with a numeric externalId, which in turn could allow to override internal user IDs and lead to impersonation or privilege escalation.”
Because Grafana maps the externalId directly to an internal user.uid, numeric values such as “1” may be interpreted as valid internal IDs—including high-privilege accounts.
The advisory further warns: “In specific cases this could allow the newly provisioned user to be treated as an existing internal account, such as the Admin.”
Only Grafana Enterprise customers are impacted. Grafana OSS users are not affected by this issue.Grafana Cloud users are secure
The vulnerable versions include:
- Grafana Enterprise 12.0.0 → 12.2.1
The vulnerability only applies when all of the following are enabled:
- enableSCIM = true
- user_sync_enabled = true under [auth.scim]
SCIM must be actively configured and in use for the exploit to be possible.
Grafana urges administrators to update immediately. Patched releases include:
- 12.3.0
- 12.2.1
- 12.1.3
- 12.0.6
Related Posts:
- Critical Versa Director Flaw (CVSS 9.8): Hardcoded Credentials Grant Root Access, PoC Available
- Cisco releases the security updates to fix RCE flaws in multiple products
- Grafana Arbitrary Read File Vulnerability (CVE-2021-43798) Alert
- CVE-2024-43403: Kanister Vulnerability Opens Door to Cluster-Level Privilege Escalation
- Critical Path Traversal Vulnerability (CVSS 9.8) Exposes Mitel MiCollab Servers to Unauthorized Access
Donate