Grafana Labs has launched essential safety patches addressing a extreme vulnerability in its SCIM provisioning characteristic that would enable attackers to escalate privileges or impersonate customers.
The flaw, tracked as CVE-2025-41115 with a CVSS rating of 10.0 (Vital), impacts Grafana Enterprise variations 12.0.0 by 12.2.1 beneath particular configurations.
Organizations utilizing affected variations ought to replace instantly to a patched launch.
The vulnerability exists within the System for Cross-domain Identification Administration (SCIM) provisioning performance, which Grafana launched in April 2025 to simplify automated consumer lifecycle administration.
| CVE ID | Vulnerability Sort | CVSS Rating | Affected Variations |
|---|---|---|---|
| CVE-2025-41115 | Incorrect Privilege Task (SCIM Provisioning) | 10.0 Vital | Enterprise 12.0.0 – 12.2.1 |
A essential flaw in how the system handles consumer identification mapping permits a malicious or compromised SCIM consumer to provision customers with numeric exterior IDs.
These numeric values can override inner consumer IDs, probably permitting attackers to realize entry as current privileged accounts, together with administrator accounts.
Vulnerability Scope and Necessities
The vulnerability impacts solely Grafana environments the place SCIM provisioning is enabled and configured with particular settings.
Exploitation requires two circumstances to be met concurrently: the enableSCIM characteristic flag have to be set to true, and the user_sync_enabled configuration possibility within the auth.scim block should even be enabled.
This focused scope means organizations with out SCIM provisioning enabled face no threat from this flaw. Moreover, Grafana OSS customers are totally unaffected by this vulnerability.
When these circumstances are current, the system maps SCIM exterior IDs on to inner consumer UIDs.
An attacker exploiting this flaw might create a consumer with a numeric exterior ID matching an current administrator account, successfully gaining administrative privileges with out correct authorization. In some situations, this might end in full account impersonation.
Grafana Labs launched patched variations on November 19, 2025: Enterprise 12.3.0, 12.2.1, 12.1.3, and 12.0.6 all comprise safety fixes for this essential flaw.
The corporate strongly recommends upgrading to one in every of these patched variations instantly. Grafana Cloud prospects already obtain safety, as patches have been utilized to all managed cloud situations earlier than public disclosure.
Amazon Managed Grafana and Azure Managed Grafana each confirmed their choices are safe.
The corporate found this vulnerability throughout inner safety testing and instantly started engaged on remediation.
No proof signifies that this flaw was exploited in Grafana Cloud environments earlier than patching. Grafana Labs coordinated early notification with all cloud suppliers beneath embargo, making certain swift deployment of fixes earlier than public announcement.
Your complete incident from discovery to public patch launch took roughly 15 days, demonstrating Grafana’s accountable disclosure method.
Organizations ought to prioritize upgrading affected situations and verifying that SCIM provisioning configurations are adequately secured.
For these unable to replace instantly, disabling SCIM provisioning or the user_sync_enabled setting supplies non permanent mitigation till patches might be deployed.
Organizations suspecting exploitation ought to evaluation audit logs for suspicious consumer provisioning actions and verify for surprising administrative account entry.
Safety groups ought to monitor Grafana’s official weblog for added steerage and coordinate updates with their IT infrastructure groups to attenuate service disruption throughout patching.
Comply with us on Google Information, LinkedIn, and X to Get On the spot Updates and set GBH as a Most popular Supply in Google.
