Critical Grafana Vulnerability Let Attackers Escalate Privilege

Grafana Labs has disclosed a critical security vulnerability affecting Grafana Enterprise that could allow attackers to escalate privileges and impersonate users.

The flaw, tracked as CVE-2025-41115, has received the maximum CVSS score of 10.0, making it one of the most severe vulnerabilities discovered in recent times.

The vulnerability exists in Grafana’s SCIM (System for Cross-domain Identity Management) setup feature, which was introduced in April 2025 to help organizations automate user lifecycle management.

The issue affects Grafana Enterprise versions 12.0.0 through 12.2.1, where SCIM setup is enabled and configured.

According to Grafana Labs, the vulnerability stems from incorrect handling of user identities. A malicious or compromised SCIM client could provision a user with a numeric externalId, potentially overriding internal user IDs.

This could allow attackers to impersonate existing users, including administrators, leading to complete system compromise.

The flaw affects only systems where both the enableSCIM feature flag and the user_sync_enabled configuration option are set to true. This vulnerability does not impact Grafana OSS users.

Grafana Labs discovered the vulnerability during internal security audits on November 4, 2025, and immediately declared an internal incident.

The company confirmed no exploitation occurred in Grafana Cloud environments and released patches within days.

Organizations running affected versions should upgrade immediately to patched versions, including Grafana Enterprise 12.3.0, 12.2.1, 12.1.3, or 12.0.6.

Grafana Cloud customers and managed service users on Amazon and Azure platforms have already received automatic security updates.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.