Grafana Labs is warning of a maximum severity vulnerability (CVE-2025-41115) in its Enterprise product that can be exploited to treat new users as administrators or for privilege escalation.
The issue is only exploitable when SCIM (System for Cross-domain Identity Management) provisioning is enabled and configured.
Specifically, both ‘enableSCIM’ feature flag and ‘user_sync_enabled’ options must be set to true to allow a malicious or compromised SCIM client to provision a user with a numeric externalId that maps to an internal account, including administrators.
The externalId is a SCIM bookkeeping attribute used by the identity provider to track users.
Because Grafana mapped this value directly to its internal user.uid, a numeric externalId such as “1” could be interpreted as an existing internal account, enabling impersonation or privilege escalation.
According to Grafana’s documentation, SCIM provisioning is currently in ‘Public Preview’ and there is limited support available. Because of this, adoption of the feature may not be widespread.
Grafana is a data visualization and monitoring platform used by a broad spectrum of organizations, from startups to Fortune 500 companies, for turning metrics, logs, and other operational data into dashboards, alerts, and analytics.
“In specific cases this could allow the newly provisioned user to be treated as an existing internal account, such as the Admin, leading to potential impersonation or privilege escalation” – Grafana Labs
CVE-2025-41115 impacts Grafana Enterprise versions between 12.0.0 and 12.2.1 (when SCIM is enabled).
Grafana OSS users aren’t impacted, while Grafana Cloud services, including Amazon Managed Grafana and Azure Managed Grafana, have already received the patches.
Administrators of self-managed installations can address the risk by applying one of the following updates:
- Grafana Enterprise version 12.3.0
- Grafana Enterprise version 12.2.1
- Grafana Enterprise version 12.1.3
- Grafana Enterprise version 12.0.6
“If your instance is vulnerable, we strongly recommend upgrading to one of the patched versions as soon as possible,” warns Grafana Labs.
The flaw was discovered during internal auditing on November 4, and a security update was introduced roughly 24 hours later.
During that time, Grafana Labs investigated and determined that the flaw had not been exploited in Grafana Cloud.
The public release of the security update and the accompanying bulletin followed on November 19.
Grafana users are recommended to apply available patches as soon as possible or change the configuration (disable SCIM) to close potential exploitation opportunities.
Last month, GreyNoise reported unusually elevated scanning activity targeting an old path traversal flaw in Grafana, which, as the researchers have noted previously, could be used for mapping exposed instances in preparation for the disclosure of a new flaw.
Whether you’re cleaning up old keys or setting guardrails for AI-generated code, this guide helps your team build securely from the start.
Get the cheat sheet and take the guesswork out of secrets management.
