Grafana has released security updates to address a maximum-severity vulnerability (CVE-2025-41115) with a CVSS score of 10.0 that could allow privilege escalation or user impersonation under certain configurations. The flaw resides in the System for Cross-domain Identity Management component (SCIM), which enables automated user provisioning and management.
Grafana said the vulnerability can be triggered when a malicious or compromised SCIM client provisions a user with a numeric externalId that may be interpreted as an internal numeric user ID, potentially overriding internal user identifiers. The SCIM capability was first introduced in April 2025 and is currently in public preview, and company engineers provided technical details in a security advisory.
Successful exploitation requires two configuration conditions: the enableSCIM feature flag must be set to true and the user_sync_enabled option in the [auth.scim] block must be set to true. The issue affects Grafana Enterprise versions from 12.0.0 to 12.2.1 and has been fixed in Grafana Enterprise 12.0.6+security-01, 12.1.3+security-01, 12.2.1+security-01 and 12.3.0.
Grafana engineer Vardan Torosyan explained that the product maps the SCIM externalId directly to the internal user.uid, so numeric values like ‘1’ may be interpreted as internal IDs and in specific cases could allow a newly provisioned user to be treated as an existing internal account, including an administrator, leading to possible impersonation or privilege escalation.
The company reported the flaw was discovered internally on Nov. 4, 2025, during an audit and testing, and advised users to apply the available patches as soon as possible.