Grafana Labs disclosed a critical vulnerability (CVE-2025-41115) in its **Grafana Enterprise** product, enabling privilege escalation or impersonation of administrators when **SCIM provisioning** is misconfigured. The flaw arises from improper mapping of the `externalId` SCIM attribute to Grafana’s internal `user.uid`, allowing attackers to assign numeric IDs (e.g., `"1"`) to provisioned users, effectively granting them admin-level access. While exploitation requires both `enableSCIM` and `user_sync_enabled` to be active—a feature in *Public Preview*—the risk is severe due to Grafana’s widespread use across enterprises for data visualization and monitoring.The vulnerability affects versions **12.0.0 to 12.2.1** (excluding OSS and patched Cloud services). Grafana Labs confirmed no active exploitation in its Cloud environment but urged self-managed users to upgrade to versions **12.3.0, 12.2.1, 12.1.3, or 12.0.6** or disable SCIM. The flaw was internally discovered on **November 4**, patched within 24 hours, and publicly disclosed on **November 19**. Prior scanning activity for older Grafana flaws (e.g., path traversal) suggests potential reconnaissance for targeting this new vulnerability.Failure to patch could allow attackers to **compromise administrative accounts**, leading to unauthorized dashboard access, data manipulation, or lateral movement within enterprise networks. Given Grafana’s role in operational analytics, exploitation could disrupt monitoring, alerting, or compliance reporting, with cascading effects on security posture and incident response.
Grafana Labs cybersecurity rating report: https://www.rankiteo.com/company/grafana-labs
"id": "GRA2792027112125",
"linkid": "grafana-labs",
"type": "Vulnerability",
"date": "11/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': ['Software',
'Data Visualization',
'Monitoring'],
'location': 'Global',
'name': 'Grafana Labs',
'type': 'Organization'}],
'attack_vector': ['Network', 'SCIM Provisioning Misconfiguration'],
'customer_advisories': ['Public security bulletin issued with mitigation '
'steps'],
'date_detected': '2024-11-04',
'date_publicly_disclosed': '2024-11-19',
'description': 'Grafana Labs has disclosed a maximum severity vulnerability '
'(CVE-2025-41115) in its Enterprise product that allows new '
'users to be treated as administrators or enables privilege '
'escalation when SCIM (System for Cross-domain Identity '
'Management) provisioning is enabled. The flaw arises when '
"both the 'enableSCIM' feature flag and 'user_sync_enabled' "
'options are set to true, permitting a malicious or '
'compromised SCIM client to provision a user with a numeric '
"'externalId' that maps to an internal account, including "
'administrators. This could lead to impersonation or '
'unauthorized privilege escalation. The issue was discovered '
'during internal auditing on November 4, 2024, and patched '
'within 24 hours. Public disclosure followed on November 19, '
'2024. Grafana Cloud services (including Amazon Managed '
'Grafana and Azure Managed Grafana) were patched prior to '
'disclosure, while self-managed installations require updates '
'to versions 12.3.0, 12.2.1, 12.1.3, or 12.0.6. Grafana OSS '
'users are unaffected.',
'impact': {'brand_reputation_impact': ['Potential Erosion of Trust Due to '
'Privilege Escalation Risk'],
'operational_impact': ['Potential Unauthorized Administrative '
'Access',
'Impersonation Risk'],
'systems_affected': ['Grafana Enterprise (Self-Managed)']},
'investigation_status': 'Resolved (No Evidence of Exploitation in Grafana '
'Cloud)',
'lessons_learned': ['Importance of Secure Default Configurations for Preview '
'Features',
'Rapid Patch Deployment for Critical Vulnerabilities',
'Proactive Monitoring for Exploitation Attempts (e.g., '
'GreyNoise Scanning Activity)'],
'post_incident_analysis': {'corrective_actions': ['Released patched versions '
'(12.3.0, 12.2.1, 12.1.3, '
'12.0.6) with fixed SCIM '
'provisioning logic',
'Enhanced input validation '
'for SCIM attributes',
'Proactive communication to '
'customers about risk and '
'mitigations'],
'root_causes': ['Improper mapping of SCIM '
"'externalId' to internal "
"'user.uid' in Grafana Enterprise",
'Insufficient validation of '
"numeric 'externalId' values "
'during user provisioning',
'Preview feature (SCIM) enabled '
'without robust safeguards']},
'recommendations': ['Upgrade Grafana Enterprise to patched versions (12.3.0, '
'12.2.1, 12.1.3, or 12.0.6) immediately.',
'Disable SCIM provisioning if not required.',
'Monitor for unusual SCIM-related activity or privilege '
'escalation attempts.',
'Review and audit user provisioning workflows, especially '
'for identity management integrations.'],
'references': [{'date_accessed': '2024-11-19',
'source': 'Grafana Labs Security Bulletin'},
{'source': 'GreyNoise Report on Grafana Scanning Activity'}],
'response': {'communication_strategy': ['Public Security Bulletin',
'Customer Advisories'],
'containment_measures': ['Patch Deployment (Grafana Enterprise '
'12.3.0, 12.2.1, 12.1.3, 12.0.6)',
'Disabling SCIM Provisioning'],
'incident_response_plan_activated': True,
'remediation_measures': ['Software Updates',
'Configuration Changes (Disabling '
'SCIM)']},
'stakeholder_advisories': ['Customers advised to apply patches or disable '
'SCIM'],
'title': 'Grafana Enterprise Privilege Escalation Vulnerability '
'(CVE-2025-41115)',
'type': ['Vulnerability', 'Privilege Escalation', 'Impersonation'],
'vulnerability_exploited': 'CVE-2025-41115 (Improper Mapping of SCIM '
"'externalId' to Internal 'user.uid')"}