Grafana Addresses Critical Security Flaw
Grafana has recently rolled out significant security updates aimed at patching a high-severity vulnerability that could enable privilege escalation or user impersonation in specific configurations. This vulnerability, identified as CVE-2025-41115, carries a critical CVSS score of 10.0, marking it as one of the most serious vulnerabilities in its system.
Understanding the Vulnerability
The issue is embedded in the System for Cross-domain Identity Management (SCIM) component, which facilitates the automated management and provisioning of user identities. Although it was first introduced in April 2025, the feature is still in public preview, raising concerns about its security implications.
Grafana’s Vardan Torosyan explained that in Grafana versions 12.x, when SCIM provisioning is enabled, a vulnerability exists regarding how user identities are handled. A compromised or malicious SCIM client could provision a user with a numeric external ID, which risks overriding internal user IDs. This can result in serious consequences like impersonation or privilege escalation.
Conditions for Exploitation
For an attacker to successfully exploit this vulnerability, two specific conditions must be satisfied:
- The
enableSCIMfeature flag needs to be set to true. - The
user_sync_enabledconfiguration option in the[auth.scim]block must also be true.
These stipulations indicate that the vulnerability primarily affects Grafana Enterprise versions ranging from 12.0.0 to 12.2.1.
How to Mitigate the Risk
Grafana has provided fixes in these versions of the software:
- Grafana Enterprise 12.0.6+security-01
- Grafana Enterprise 12.1.3+security-01
- Grafana Enterprise 12.2.1+security-01
- Grafana Enterprise 12.3.0
Torosyan further emphasized the concern: “Grafana maps the SCIM externalId directly to the internal user.uid. As a result, numeric external IDs (like ‘1’) might be interpreted as internal user IDs, which could potentially allow new users to be treated as existing internal accounts, including administrative accounts.”
Discovery and Response
The internal discovery of the vulnerability took place on November 4, 2025, during an audit and testing session. Given its critical nature, Grafana underscores the importance for users to implement the latest patches immediately to stave off potential security breaches.
Conclusion
As digital security threats continue to evolve, prompt awareness and action are crucial in maintaining the integrity and safety of systems like Grafana. By addressing vulnerabilities swiftly, organizations can safeguard their data and operations from malicious attacks.
