Grafana released emergency patches for a critical SCIM vulnerability (CVE-2025-41115) that allows attackers to escalate privileges or impersonate admins in Grafana Enterprise.
The flaw, scored CVSS 10.0, affects versions 12.0.0 through 12.2.1 when SCIM provisioning is enabled.
Grafana Labs disclosed it alongside the Enterprise 12.3 launch on November 19, 2025, urging immediate upgrades.
SCIM, introduced in April 2025 for automated user lifecycle management, handles identity provisioning across domains.
In vulnerable setups, a malicious or compromised SCIM client can supply a numeric externalId such as “1” which Grafana maps directly to the internal user. uid.
This overrides existing numeric IDs, such as the default Admin account (often uid=1), enabling impersonation or privilege escalation without authentication.
Attackers need no privileges (PR: N) and can strike remotely (AV: N) over the network (AC: L). The high scope (S: C) amplifies impact, granting complete confidentiality (C: H), integrity (I: H), and availability (A: H) compromise.
Exploitation requires two conditions: the enableSCIM feature flag set to true and user_sync_enabled=true in the [auth. scim] config block. Open-source Grafana users remain unaffected, as SCIM is an Enterprise-only feature.
Impacted versions include Grafana Enterprise 12.0.0–12.2.1. Patched releases 12.3.0, 12.2.1, 12.1.3, and 12.0.6 are available for download.
Grafana Cloud, Amazon Managed Grafana, and Azure Managed Grafana received fixes under embargo before the announcement. Enterprise customers got patches early.
Grafana’s user ID handling flaw stems from direct externalId-to-uid mapping without validation for numeric clashes.
Docs warn of SCIM config at grafana.com/docs/grafana/latest/setup-grafana/configure-access/configure-scim-provisioning/.
No wild exploitation occurred in Grafana Cloud, per internal audits.
The incident unfolded swiftly:
| Date (UTC) | Event |
|---|---|
| 2025-11-04 16:30 | Internal incident declared; CVE reserved. |
| 2025-11-04 19:14 | Audit uncovers ID overwrite via numeric externalId. |
| 2025-11-04 16:45 | Cloud confirmed safe; patches developed. |
| 2025-11-05 17:52 | Private patches released to customers. |
| 2025-11-19 10:33 | Public patches out. |
| 2025-11-19 20:00 | Blog post published. |
Mitigate by upgrading immediately disable SCIM temporarily if needed.
Grafana Labs coordinates responsibly, with a bug bounty and hall of fame for reporters. Track fixes via their security blog RSS.
This underscores SCIM-related risks in observability platforms, where misconfigured identities amplify breaches.
Organizations using Grafana Enterprise for dashboards and metrics should audit SCIM setups now.
PortSwigger has leveled up Burp Suite's scanning arsenal with the latest Active Scan++ extension, version…
Unit 42 researchers at Palo Alto Networks exposed serious flaws in the Model Context Protocol…
Polish police have arrested three Ukrainian men traveling through Europe and seized a cache of…
Google has launched its most significant Chrome update ever, embedding Gemini AI across the browser…
Attackers exploit this vulnerability through the router's web interface components, specifically "cgibin" and "hnap_main," by…
Security researchers have uncovered a severe flaw in Apache Tika, a popular open-source toolkit for…