Grafana has released a security update to address a maximum severity security flaw that could allow privilege escalation and user impersonation under certain configurations.
Vulnerabilities are tracked as follows CVE-2025-41115the CVSS score is 10.0. It resides within the System for Cross-Domain Identity Management (SCIM) component, which enables automated user provisioning and management. It was first introduced in April 2025 and is currently in public preview.
“In Grafana version 12.x with SCIM provisioning enabled and configured, a vulnerability in user ID handling could allow a malicious or compromised SCIM client to provision a user with a numeric externalId, which could override the internal user ID and potentially lead to impersonation and privilege escalation,” said Vardan Torosyan of Grafana.
However, a successful exploit depends on whether both conditions are met.
- EnableSCIM feature flag is set to true
- (auth.scim) block’s user_sync_enabled configuration option is set to true
This drawback affects Grafana Enterprise versions 12.0.0 to 12.2.1. This issue is resolved in the following versions of the software.
- Grafana Enterprise 12.0.6+Security-01
- Grafana Enterprise 12.1.3+Security-01
- Grafana Enterprise 12.2.1+Security-01
- Grafana Enterprise 12.3.0
“Grafana maps SCIM externalId directly to internal user.uid, so a number (e.g. ‘1’) can be interpreted as an internal numeric user ID,” Torosyan said. “In certain cases, this could result in newly provisioned users being treated as existing internal accounts, such as administrators, which could lead to impersonation and privilege escalation.”
According to the analysis and observation platform, the vulnerability was discovered internally on November 4, 2025 during audit and testing. Given the severity of the issue, we recommend that users apply the patch as soon as possible to reduce potential risks.
