CVE-2025-41115 – Grafana SCIM Config Enables Privilege Escalation

CVE-2025-41115 affects Grafana Enterprise 12.0.0 through 12.2.1 and allows privilege escalation when the SCIM provisioning feature is enabled, making it possible for attackers to impersonate existing high-privilege users. The vulnerability arises from Grafana’s direct mapping of SCIM externalId values to internal user.uid fields, enabling user impersonation when numeric identifiers collide. The issue is rated with a CVSS score of 10.0 and is mapped to MITRE ATT&CK technique T1134 (Access Token Manipulation). Attackers must leverage a compromised or malicious SCIM client to exploit the flaw, but once achieved, they can escalate privileges or impersonate administrative accounts. :contentReference[oaicite:0]{index=0} The vulnerability manifests specifically when both the enableSCIM feature flag and user_sync_enabled option are enabled in the [auth.scim] configuration block. Attackers exploit the ambiguity created by numeric externalId values to override existing internal accounts. Since SCIM provisioning is often integrated with federated identity systems, organizations that rely heavily on automated user lifecycle management face elevated risk. Industries using Grafana for operational dashboards, SIEM analytics, or cloud-native observability workflows—including finance, SaaS, manufacturing, and healthcare—are especially exposed due to the platform’s widespread use. If exploited, organizations may see unauthorized dashboard access, tampering with alert configurations, exposure of sensitive telemetry, or full administrative takeover. Such a compromise could violate compliance requirements under frameworks such as SOC 2, HIPAA, and GDPR, particularly where dashboards process regulated data. With public exploit details emerging after the vendor advisory, the likelihood of weaponization increases. Although the flaw requires specific SCIM configuration, the risk profile is severe due to its impact scope and the growing adoption of identity automation. Grafana released updated builds (12.3, 12.2.1, 12.1.3, and 12.0.6) with patches addressing the issue. Administrators should immediately update all Grafana Enterprise 12.x instances and disable SCIM provisioning unless explicitly required. Organizations should audit identity integrations, rotate API tokens for SCIM clients, and monitor for suspicious provisioning events. Additional defensive actions include enforcing least-privilege access models, verifying user UID consistency across identity providers, and enabling anomaly detection for provisioning behavior.