Grafana Vulnerability Disclosure: SCIM Flaw Could Lead to Privilege Escalation

The discovery of CVE-2025-41115 exposes a critical security weakness in the Grafana Enterprise SCIM (System for Cross-domain Identity Management) component, enabling attackers to escalate privileges or impersonate existing users under specific configuration conditions. This flaw poses a significant threat to organizations relying on SCIM for automated identity provisioning and user lifecycle management.

A critical privilege escalation vulnerability, tracked as CVE-2025-41115, has been identified in Grafana Enterprise versions 12.0.0 through 12.2.1. The issue stems from how Grafana maps the SCIM externalId directly to the internal user.uid field.

When SCIM provisioning is enabled, a compromised or malicious SCIM client can provision a user with a numeric externalId. If this numeric value is interpreted as an internal user ID, the newly created account may be treated as an existing Grafana user—including potentially the Admin account.

This results in the possibility of:

• Unauthorized impersonation
• Privilege escalation
• Administrative takeover of the Grafana instance

According to Grafana’s internal analysis, exploiting the flaw requires both:

1. enableSCIM = true
2. user_sync_enabled = true within the [auth.scim] configuration block

Grafana discovered the vulnerability internally during an audit on November 4, 2025, underscoring the importance of secure identity mapping within SCIM implementations.

If exploited, CVE-2025-41115 allows attackers to gain full administrative control over a Grafana deployment. This could lead to:

• Unauthorized access to sensitive dashboards and data
• Modification of system configurations
• Disruption of monitoring operations
• Lateral movement within the environment

Given its CVSS score of 10.0, the vulnerability represents a maximum-severity threat, especially for internet-exposed or misconfigured SCIM-enabled Grafana instances.

Exploitation of this vulnerability aligns with the following ATT&CK tactics and techniques:

• TA0004 – Privilege Escalation: Abuse of identity provisioning to gain elevated permissions.
• TA0001 – Initial Access: Leveraging exposed SCIM endpoints to establish a foothold.
• T1190 – Exploit Public-Facing Application: Targeting SCIM endpoints to compromise the system.

• Grafana Enterprise 12.0.0 – 12.2.1

Grafana has released patched builds that fully address the vulnerability. Users should upgrade to one of the following versions:

• Grafana Enterprise 12.0.6
• Grafana Enterprise 12.1.3
• Grafana Enterprise 12.2.1
• Grafana Enterprise 12.3.0

Additional recommendations include:

• Reviewing SCIM settings to ensure secure identity mapping
• Disabling SCIM if not required
• Restricting SCIM client access and ensuring trusted authentication mechanisms

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.