Headline
Grafana Patches CVSS 10.0 SCIM Flaw Enabling Impersonation and Privilege Escalation
Grafana has released security updates to address a maximum severity security flaw that could allow privilege escalation or user impersonation under certain configurations. The vulnerability, tracked as CVE-2025-41115, carries a CVSS score of 10.0. It resides in the System for Cross-domain Identity Management (SCIM) component that allows automated user provisioning and management. First
Vulnerability / Threat Mitigation
Grafana has released security updates to address a maximum severity security flaw that could allow privilege escalation or user impersonation under certain configurations.
The vulnerability, tracked as CVE-2025-41115, carries a CVSS score of 10.0. It resides in the System for Cross-domain Identity Management (SCIM) component that allows automated user provisioning and management. First introduced in April 2025, it’s currently in public preview.
“In Grafana versions 12.x where SCIM provisioning is enabled and configured, a vulnerability in user identity handling allows a malicious or compromised SCIM client to provision a user with a numeric externalId, which in turn could allow for overriding internal user IDs and lead to impersonation or privilege escalation,” Grafana’s Vardan Torosyan said.
That said, successful exploitation hinges on both conditions being met -
- enableSCIM feature flag is set to true
- user_sync_enabled config option in the [auth.scim] block is set to true
The shortcoming affects Grafana Enterprise versions from 12.0.0 to 12.2.1. It has been addressed in the following versions of the software -
- Grafana Enterprise 12.0.6+security-01
- Grafana Enterprise 12.1.3+security-01
- Grafana Enterprise 12.2.1+security-01
- Grafana Enterprise 12.3.0
“Grafana maps the SCIM externalId directly to the internal user.uid; therefore, numeric values (e.g. ‘1’) may be interpreted as internal numeric user IDs,” Torosyan said. “In specific cases this could allow the newly provisioned user to be treated as an existing internal account, such as the Admin, leading to potential impersonation or privilege escalation.”
The analytics and observability platform said the vulnerability was discovered internally on November 4, 2025, during an audit and testing. Given the severity of the issue, users are advised to apply the patches as soon as possible to mitigate potential risks.
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.
Related news
SCIM provisioning was introduced in Grafana Enterprise and Grafana Cloud in April to improve how organizations manage users and teams in Grafana by introducing automated user lifecycle management. In Grafana versions 12.x where SCIM provisioning is enabled and configured, a vulnerability in user identity handling allows a malicious or compromised SCIM client to provision a user with a numeric externalId, which in turn could allow to override internal user IDs and lead to impersonation or privilege escalation. This vulnerability applies only if all of the following conditions are met: - `enableSCIM` feature flag set to true - `user_sync_enabled` config option in the `[auth.scim]` block set to true