Grafana Labs has released critical security patches addressing a severe vulnerability in its SCIM provisioning feature that could allow attackers to escalate privileges or impersonate users.
The flaw, tracked as CVE-2025-41115 with a CVSS score of 10.0 (Critical), affects Grafana Enterprise versions 12.0.0 through 12.2.1 under specific configurations.
Organizations using affected versions should update immediately to a patched release.
The vulnerability exists in the System for Cross-domain Identity Management (SCIM) provisioning functionality, which Grafana introduced in April 2025 to simplify automated user lifecycle management.
| CVE ID | Vulnerability Type | CVSS Score | Affected Versions |
|---|---|---|---|
| CVE-2025-41115 | Incorrect Privilege Assignment (SCIM Provisioning) | 10.0 Critical | Enterprise 12.0.0 – 12.2.1 |
A critical flaw in how the system handles user identity mapping allows a malicious or compromised SCIM client to provision users with numeric external IDs.
These numeric values can override internal user IDs, potentially allowing attackers to gain access as existing privileged accounts, including administrator accounts.
Vulnerability Scope and Requirements
The vulnerability affects only Grafana environments where SCIM provisioning is enabled and configured with specific settings.
Exploitation requires two conditions to be met simultaneously: the enableSCIM feature flag must be set to true, and the user_sync_enabled configuration option in the auth.scim block must also be enabled.
This targeted scope means organizations without SCIM provisioning enabled face no risk from this flaw. Additionally, Grafana OSS users are entirely unaffected by this vulnerability.
When these conditions are present, the system maps SCIM external IDs directly to internal user UIDs.
An attacker exploiting this flaw could create a user with a numeric external ID matching an existing administrator account, effectively gaining administrative privileges without proper authorization. In some scenarios, this could result in complete account impersonation.
Grafana Labs released patched versions on November 19, 2025: Enterprise 12.3.0, 12.2.1, 12.1.3, and 12.0.6 all contain security fixes for this critical flaw.
The company strongly recommends upgrading to one of these patched versions immediately. Grafana Cloud customers already receive protection, as patches were applied to all managed cloud instances before public disclosure.
Amazon Managed Grafana and Azure Managed Grafana both confirmed their offerings are secure.
The company discovered this vulnerability during internal security testing and immediately began working on remediation.
No evidence indicates that this flaw was exploited in Grafana Cloud environments before patching. Grafana Labs coordinated early notification with all cloud providers under embargo, ensuring swift deployment of fixes before public announcement.
The entire incident from discovery to public patch release took approximately 15 days, demonstrating Grafana’s responsible disclosure approach.
Organizations should prioritize upgrading affected instances and verifying that SCIM provisioning configurations are adequately secured.
For those unable to update immediately, disabling SCIM provisioning or the user_sync_enabled setting provides temporary mitigation until patches can be deployed.
Organizations suspecting exploitation should review audit logs for suspicious user provisioning activities and check for unexpected administrative account access.
Security teams should monitor Grafana’s official blog for additional guidance and coordinate updates with their IT infrastructure teams to minimize service disruption during patching.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and set GBH as a Preferred Source in Google.