Full Report
Grafana has released security updates to address a maximum severity security flaw that could allow privilege escalation or user impersonation under certain configurations. The vulnerability, tracked as CVE-2025-41115, carries a CVSS score of 10.0. It resides in the System for Cross-domain Identity Management (SCIM) component that allows automated user provisioning and management. First
Analysis Summary
# Vulnerability: Critical SCIM Component Flaw Allowing Privilege Escalation/Impersonation in Grafana
## CVE Details
- CVE ID: CVE-2025-41115
- CVSS Score: 10.0 (Critical)
- CWE: Not explicitly specified in the provided text.
## Affected Systems
- Products: Grafana Enterprise
- Versions: 12.0.0 through 12.2.1
- Configurations: Requires both `enableSCIM` feature flag set to `true` AND `user_sync_enabled` configuration option in the `[auth.scim]` block set to `true`.
## Vulnerability Description
The vulnerability resides in the System for Cross-domain Identity Management (SCIM) provisioning component. When a malicious or compromised SCIM client provisions a user with a numeric `externalId`, Grafana maps this ID directly to the internal `user.uid`. Since internal user IDs are also numeric (e.g., the admin user might have UID '1'), provisioning a user with a matching numeric externalId can cause the newly provisioned user record to overwrite or incorrectly inherit the properties of an existing internal user, leading to potential user impersonation or privilege escalation (e.g., gaining Admin access).
## Exploitation
- Status: Discovered internally (November 4, 2025). No mention of public exploitation or PoC availability.
- Complexity: Likely Medium, as it requires specific configurations to be enabled.
- Attack Vector: Network (via the SCIM client interface).
## Impact
- Confidentiality: High (Potential access to sensitive data via impersonation).
- Integrity: High (Potential for unauthorized configuration changes via privilege escalation).
- Availability: High (Disruption of service or system safety through unauthorized action).
## Remediation
### Patches
- Grafana Enterprise 12.0.6+security-01
- Grafana Enterprise 12.1.3+security-01
- Grafana Enterprise 12.2.1+security-01
- Grafana Enterprise 12.3.0
### Workarounds
- Disable SCIM provisioning by ensuring the `enableSCIM` feature flag is set to `false` or by setting the `user_sync_enabled` setting to `false` in the `[auth.scim]` configuration block.
## Detection
- Indicators of Compromise: Look for unusual user provisioning logs originating from the SCIM client where the externalId is a small integer that corresponds to existing internal user UIDs (e.g., 1, 2, 3...).
- Detection methods and tools: Monitor SCIM provisioning transactions for numeric external IDs being submitted.
## References
- Vendor Advisories: Grafana Enterprise Security Update (Blog post referenced in article).
- Relevant links - defanged:
- hxxps://grafana.com/docs/grafana/latest/setup-grafana/configure-access/configure-scim-provisioning/
- hxxps://grafana.com/blog/2025/05/14/introducing-scim-provisioning-in-grafana-enterprise-grade-user-management-made-simple/
- hxxps://grafana.com/blog/2025/11/19/grafana-enterprise-security-update-critical-severity-security-fix-for-cve-2025-41115/