Grafana Labs is warning of a maximum severity vulnerability (CVE-2025-41115) in its Enterprise product that can be exploited to treat new users as administrators or for privilege escalation.
The issue is only exploitable when SCIM (System for Cross-domain Identity Management) provisioning is enabled and configured.
Specifically, both 'enableSCIM' feature flag and 'user_sync_enabled' options must be set to true to allow a malicious or compromised SCIM client to provision a user with a numeric externalId that maps to an internal account, including administrators.
The externalId is a SCIM bookkeeping attribute used by the identity provider to track users.
Because Grafana mapped this value directly to its internal user.uid, a numeric externalId such as \ "1\" could be interpreted as an existing internal account, enabling impersonation or privilege escalation.
According to Grafana's documentation, SCIM provisioning is currently in 'Public Preview' and there is limited support available. Because of this, adoption of the feature may not be widespread.
Grafana is a data visualization and monitoring platform used by a broad spectrum of organizations, from startups to Fortune 500 companies, for turning metrics, logs, and other operational data into dashboards, alerts, and analytics.
"In specific cases this could allow the newly provisioned user to be treated as an existing internal account, such as the Admin, leading to potential impersonation or privilege escalation" - Grafana Labs
CVE-2025-41115 impacts Grafana Enterprise versions between 12.0.0 and 12.2.1 (when SCIM is enabled).
Grafana OSS users aren't impacted, while Grafana Cloud services, including Amazon Managed Grafana and Azure Managed Grafana, have already received the patches.
... continue reading