Grafana Fixes High-Risk CVE-2025-41115 Vulnerability in SCIM Module

By /
grafana devops

Grafana has released an urgent set of security patches to fix a critical vulnerability rated CVSS 10.0, the highest severity level possible. The flaw affects the System for Cross-domain Identity Management (SCIM) feature and could allow attackers to impersonate users or gain higher privileges on affected Grafana Enterprise installations.

The vulnerability, tracked as CVE-2025-41115, exists in the way Grafana handles user identities during the SCIM provisioning process. SCIM is used by many organizations to automatically create, update, or remove user accounts across multiple systems. Grafana introduced this feature in April 2025, and it is currently available in public preview.

According to Vardan Torosyan, the issue becomes dangerous when SCIM provisioning is enabled in versions 12.x. In this scenario, a malicious or compromised SCIM client can create a user using a numeric externalId, such as “1.” This may unintentionally override internal user ID mappings. In the worst-case scenario, the attacker could be mapped to an existing Admin account, opening the door to privilege escalation, full impersonation, and account takeover.

This vulnerability scores 10.0 on the CVSS scale, which means it is easy to exploit under the right configuration and has a very high impact. If the attack succeeds, the attacker can:

  • Impersonate legitimate users

  • Escalate privileges to Admin level

  • Access dashboards, alerts, data sources, and sensitive logs

  • Modify or delete critical configurations

  • Gain control over the entire Grafana environment

In enterprise environments where it is widely used for monitoring, analytics, security observability, and infrastructure visibility, unauthorized admin access can lead to system manipulation, data exposure, and operational disruption.

Grafana clarified that the vulnerability is not exploitable in all environments by default. The flaw only becomes dangerous when two specific settings are enabled:

  1. enableSCIM feature flag is set to true

  2. user_sync_enabled option inside the [auth.scim] block is set to true

If both these conditions are active, a SCIM client can potentially assign a numeric externalId that maps to a valid internal user ID. Since internal user IDs are numeric, a malicious externalId like “1” could match an existing admin profile, allowing impersonation.

This means organizations that have SCIM disabled or those not using the preview feature are not exposed to this risk.

patch now

The vulnerability affects Enterprise versions 12.0.0 to 12.2.1. Grafana has released patched and secured versions to fix the issue.

The following releases include the security fix:

  • 12.0.6+security-01

  • 12.1.3+security-01

  • 12.2.1+security-01

  • 12.3.0

Organizations running earlier versions within the affected range are strongly urged to upgrade immediately.

Grafana’s SCIM implementation directly maps the externalId field to the internal user.uid. This design becomes risky when numeric externalIds are allowed. For example:

  • A SCIM client sends externalId = “1”

  • Grafana matches it to internal user ID 1

  • If user ID 1 belongs to an Admin, the newly provisioned user inherits Admin-level identity

This identity collision leads to one user being treated as another, enabling full impersonation. Grafana discovered the issue during an internal audit on November 4, 2025, underscoring the importance of routine internal testing even for mature platforms.

Grafana recommends urgent action for any organization using Grafana Enterprise with SCIM enabled. The following steps will help reduce or eliminate risk:

1. Install the latest patches

Upgrading to one of the fixed versions is the most effective way to block exploitation.

2. Verify SCIM configuration

Check whether the following are set to true:

  • enableSCIM

  • user_sync_enabled under [auth.scim]

If SCIM is not required in your environment, consider disabling it temporarily.

3. Audit existing SCIM clients

Ensure that no untrusted or compromised SCIM clients have the ability to provision users.

4. Review user accounts

Look for unusual or unexpected accounts, especially those with numeric externalIds.

Follow us on Twitter and Linkedin for real time updates and exclusive content.

Interesting Article : Cloudflare’s Worst Outage in 6 Years Disrupts Global Internet Traffic

1 thought on “Grafana Fixes High-Risk CVE-2025-41115 Vulnerability in SCIM Module”

  1. Pingback: Oracle Zero-Day (CVE-2025-61757) Under Active Exploitation

Comments are closed.

Scroll to Top