top of page
Search

Grafana Patches Critical SCIM Flaw Enabling Impersonation and Privilege Escalation

  • Nov 22, 2025
  • 2 min read

Key Findings


  • Grafana has patched a critical vulnerability (CVE-2025-41115) in its SCIM (System for Cross-domain Identity Management) implementation with a CVSS score of 10.0.

  • The flaw could allow a malicious or compromised SCIM client to provision a user with a numeric `externalId`, enabling potential impersonation or privilege escalation under certain configurations.

  • The vulnerability affects Grafana Enterprise versions from 12.0.0 to 12.2.1 and has been addressed in Grafana Enterprise 12.0.6+security-01, 12.1.3+security-01, 12.2.1+security-01, and 12.3.0.


Background


  • SCIM is a standard that allows automated user provisioning and management in Grafana Enterprise.

  • The vulnerability was discovered internally by Grafana on November 4, 2025, during an audit and testing process.

  • Successful exploitation requires the `enableSCIM` feature flag to be set to `true` and the `user_sync_enabled` config option in the `[auth.scim]` block to also be set to `true`.


Technical Details


  • Grafana maps the SCIM `externalId` directly to the internal `user.uid`, and numeric values (e.g., '1') may be interpreted as internal numeric user IDs.

  • In specific cases, this could allow the newly provisioned user to be treated as an existing internal account, such as the Admin, leading to potential impersonation or privilege escalation.


Mitigation and Remediation


  • Grafana has released security updates to address the vulnerability in the following versions:

  • Grafana Enterprise 12.0.6+security-01

  • Grafana Enterprise 12.1.3+security-01

  • Grafana Enterprise 12.2.1+security-01

  • Grafana Enterprise 12.3.0

  • Users are advised to apply the patches as soon as possible to mitigate potential risks.


Impact and Implications


  • The vulnerability carries a maximum severity CVSS score of 10.0, indicating the critical nature of the flaw.

  • Successful exploitation could lead to impersonation of existing users, including the Admin, and potential privilege escalation.

  • The vulnerability was discovered and patched internally, highlighting Grafana's proactive approach to security.


Conclusion


Grafana has acted swiftly to address a critical vulnerability in its SCIM implementation that could have allowed malicious actors to impersonate users and escalate privileges. Users are strongly encouraged to update their Grafana Enterprise instances to the patched versions to ensure the security and integrity of their systems.


Sources


  • https://thehackernews.com/2025/11/grafana-patches-cvss-100-scim-flaw.html

  • https://x.com/Dinosn/status/1991921651139981425

  • https://securityonline.info/grafana-patches-critical-scim-flaw-cve-2025-41115-cvss-10-allowing-privilege-escalation-and-user-impersonation/

  • https://www.linkedin.com/posts/lorenzogomezvargas_grafana-patches-cvss-100-scim-flaw-enabling-activity-7397718049186914304-OJ7T

Recent Posts

See All
Defeating AI with AI

Key Findings Generative AI and agentic AI are increasingly used by threat actors to conduct faster and more targeted attacks. One capability that AI improves for threat actors is the ability to profil

 
 
 

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page