Grafana has patched a critical security vulnerability, CVE-2025-41115, with a maximum CVSS score of 10.0, which could lead to user impersonation or privilege escalation. This flaw resides in the System for Cross-domain Identity Management (SCIM) component, responsible for automated user provisioning and management, and introduced in April 2025 (currently in public preview).
The vulnerability affects Grafana Enterprise versions 12.0.0 through 12.2.1. Exploitation requires both the enableSCIM feature flag and the user_sync_enabled option within the [auth.scim] block to be set to true.
Vardan Torosyan of Grafana explained that the SCIM component directly maps the externalId to Grafana’s internal user.uid. This allows a malicious or compromised SCIM client to provision a user with a numeric externalId, which the system can then misinterpret as an existing internal user ID. This misinterpretation could grant the newly provisioned user access to an existing account, such as an administrator’s, leading to impersonation or privilege escalation.
Grafana discovered this vulnerability internally on November 4, 2025, during an audit. Patches have been released for the following Grafana Enterprise versions:
- Grafana Enterprise 12.0.6+security-01
- Grafana Enterprise 12.1.3+security-01
- Grafana Enterprise 12.2.1+security-01
- Grafana Enterprise 12.3.0
Users are advised to update their Grafana Enterprise installations immediately to mitigate the risks associated with this critical vulnerability.