Grafana has issued urgent security updates for a critical vulnerability in its SCIM provisioning feature, carrying a maximum CVSS score of 10.0. This flaw could allow attackers to escalate privileges or impersonate users.
The vulnerability, CVE-2025-41115, is found in the System for Cross-domain Identity Management (SCIM) component, which automates user provisioning. This feature was introduced in April 2025 and is currently in public preview.
Specifically, in Grafana versions 12.x where SCIM provisioning is active, a malicious client could provision a user with a numeric “externalId.” This numeric ID might then be misinterpreted as an internal user ID.
Such a misinterpretation could lead to a newly provisioned user being treated as an existing internal account, potentially even an Administrator. This opens the door for serious impersonation or privilege escalation attacks.
For a successful exploit, two conditions must be met: the “enableSCIM” feature flag must be true, and the “user_sync_enabled” option in the “[auth.scim]” block must also be true.
Affected versions include Grafana Enterprise 12.0.0 through 12.2.1. Users are strongly advised to update to patched versions: 12.0.6+security-01, 12.1.3+security-01, 12.2.1+security-01, or 12.3.0.
The flaw was discovered internally on November 4, 2025, during an audit and testing, underscoring the importance of continuous security checks. Grafana urges users to apply these patches immediately.
For more details on SCIM provisioning in Grafana, you can refer to their official documentation: Configure SCIM provisioning.
Further information on the security update and the critical fix can be found on the Grafana blog: Grafana Enterprise Security Update.
This critical Grafana vulnerability highlights the persistent threat of privilege escalation. In a similar vein, CISA recently warned about a critical, actively exploited zero-day flaw in Oracle Identity Manager that also allows unauthorized access and potential system compromise. Read more about the Oracle Identity Manager vulnerability.
The discovery of this Grafana flaw during an internal audit emphasizes the importance of continuous security checks and robust cybersecurity tools. These tools are vital for identifying vulnerabilities before they can be exploited by threat actors. Explore essential cybersecurity tools for 2025.