CVE-2025-41115 – Grafana SCIM CVSS 10.0 Privilege Escalation

CVE-2025-41115 is a CVSS 10.0 vulnerability in Grafana Enterprise 12.x’s System for Cross-domain Identity Management (SCIM) component that can enable user impersonation and privilege escalation under certain configurations. In deployments where the enableSCIM feature flag is true and the [auth.scim] user_sync_enabled option is enabled, a malicious or compromised SCIM client can provision users with numeric externalId values that collide with internal user IDs, potentially overwriting critical identities such as the built-in admin account. This maps to MITRE ATT&CK T1098 (Account Manipulation) and T1136 (Create Account) where adversaries weaponize identity provisioning flows for persistence and elevated access. The flaw arises because Grafana maps the SCIM externalId directly to internal user.uid without sufficient validation, allowing numeric externalIds like 1 to be interpreted as core internal identities. In environments where SCIM is used to sync users from identity providers or third-party IAM systems, an attacker who controls or compromises the SCIM client can craft provisioning requests that result in new accounts assuming the privileges of existing users. Because SCIM operations are generally trusted and often automated, these payloads can blend into normal identity synchronization activity, making detection challenging without focused SCIM audit logging. For organizations relying on Grafana Enterprise for observability across infrastructure, cloud, and application telemetry, unauthorized escalation to admin-level access has serious implications. Attackers could alter dashboards, hide or modify alerts tied to security monitoring, or exfiltrate sensitive metrics and secrets embedded in data sources. Compromise of observability platforms can undermine incident detection, tamper with compliance evidence, and provide powerful reconnaissance into network topology and service health, raising potential issues for SOC2, ISO 27001, and internal audit programs. Grafana discovered CVE-2025-41115 internally on November 4, 2025 and has issued patched versions 12.0.6+security-01, 12.1.3+security-01, 12.2.1+security-01, and 12.3.0. Administrators should immediately identify whether SCIM is enabled and, if so, upgrade to a fixed release and review recent SCIM provisioning logs for anomalies involving numeric externalId values or unexpected privilege assignments. As a compensating control, organizations should tightly constrain which SCIM clients can connect, implement mutual TLS or signed SCIM requests, and ensure that high-privilege Grafana accounts are not directly mapped from untrusted external identifiers.