Grafana has issued critical security updates for a severe vulnerability impacting its System for Cross-domain Identity Management (SCIM) component. This flaw, CVE-2025-41115, identified with a CVSS score of 10.0, could enable malicious actors to escalate privileges or impersonate legitimate users under specific configuration conditions, posing a significant risk to data security and system integrity.
The vulnerability was discovered internally by Grafana on November 4, 2025, during a routine audit. The SCIM component, designed for automated user provisioning, was introduced in April 2025 and is currently in public preview. Successful exploitation requires a dual misconfiguration involving feature flags and specific settings within the authentication block, making it a complex but high-impact threat.
Grafana Security Update Addresses SCIM Vulnerability
The critical security flaw, CVE-2025-41115, resides within Grafana’s SCIM provisioning functionality. This component is responsible for streamlining the addition, modification, and deletion of user accounts across different systems. According to Grafana’s Vardan Torosyan, the vulnerability arises when the SCIM component is enabled and configured, and a compromised SCIM client provisions a user with a numeric external ID. This specific scenario can lead to the aforementioned privilege escalation or user impersonation risks.
The severity of this vulnerability is amplified by the direct mapping Grafana performs between the SCIM external ID and the internal user’s unique identifier (uid). When a numeric value is used as the external ID, Grafana may incorrectly interpret it as an existing internal numeric user ID. This misinterpretation opens the door for a newly provisioned user to be recognized as an established internal account, potentially including administrative roles, thereby enabling impersonation and unauthorized access.
Exploitation Prerequisites and Affected Versions
For this vulnerability to be successfully exploited, two specific conditions must be met simultaneously. Firstly, the “enableSCIM” feature flag must be set to “true.” Secondly, the “user_sync_enabled” configuration option within the “[auth.scim]” block must also be set to “true.” Without both of these settings in place, the vulnerability cannot be triggered.
The affected software versions are Grafana Enterprise versions ranging from 12.0.0 up to and including 12.2.1. Grafana has moved swiftly to address this critical issue by releasing updated versions that patch the security hole. Users are strongly advised to upgrade their Grafana Enterprise instances to one of the following patched versions as soon as possible to mitigate the associated risks.
Patched Grafana Enterprise Versions
The following Grafana Enterprise versions include the security fix for CVE-2025-41115:
- Grafana Enterprise 12.0.6+security-01
- Grafana Enterprise 12.1.3+security-01
- Grafana Enterprise 12.2.1+security-01
- Grafana Enterprise 12.3.0
Users running earlier versions of Grafana Enterprise are urged to prioritize updating to one of these patched releases. Implementing these updates is the most effective method for protecting against potential exploitation of this critical SCIM vulnerability and maintaining the integrity of user access controls.
The implications of this vulnerability are far-reaching, potentially impacting organizations relying on SCIM for automated user management. The ability for an attacker to gain administrative privileges or impersonate high-level users could lead to widespread data breaches, system manipulation, or denial-of-service attacks. The rapid discovery and patching by Grafana indicate a proactive approach to security, but underscores the continuous need for vigilance in managing complex identity management systems.
Moving forward, organizations should conduct thorough audits of their SCIM configurations to ensure the “enableSCIM” and “user_sync_enabled” settings are appropriately secured. Continuous monitoring and prompt application of security patches will remain paramount in defending against evolving cybersecurity threats. The exact timeline for widespread adoption of the patches remains to be seen, but the urgency of the situation necessitates swift action from affected users.