A critical security flaw tracked as CVE-2025-41115 has been discovered in the commercial edition of Grafana Enterprise, scoring the maximum 10.0 on the CVSS scale. Under specific conditions, an attacker can create an account that Grafana treats as an existing internal user — including administrators — leading to complete compromise of the affected Grafana instance.
What Is CVE-2025-41115 in Grafana Enterprise?
The vulnerability is present only when Grafana Enterprise has SCIM provisioning (System for Cross-domain Identity Management) enabled. For the flaw to be exploitable, both configuration parameters enableSCIM and user_sync_enabled must be set to true. These settings are typically used in environments where user lifecycle management is centralized through an external Identity Provider (IdP) and accounts are synchronized automatically.
The core implementation error lies in the handling of the externalId attribute, which in the SCIM standard uniquely identifies a user on the IdP side. In affected versions of Grafana Enterprise, this externalId value was incorrectly mapped directly to the internal Grafana user identifier user.uid.
As a result, if a SCIM client created a user with a numeric externalId (for example, “1”), Grafana could mistakenly associate that record with an existing internal account that has the same user.uid, including a built-in or previously created administrator account. This misbinding enables account impersonation and privilege escalation without needing the victim’s password or bypassing traditional authentication controls.
Attack Scenario: How the SCIM Provisioning Flaw Is Exploited
Abuse of Malicious or Compromised SCIM Clients
According to the vendor, exploitation requires a malicious or compromised SCIM client that is authorized to send user creation or update requests to Grafana. In practice, this could be:
— a compromised IdP or any SCIM-capable identity service;
— a poorly secured integration service acting as a SCIM client;
— an attacker who has obtained SCIM client credentials or access tokens.
With such access, an attacker can intentionally create a SCIM user whose externalId is chosen to match the user.uid of an existing Grafana account. Due to the flawed identifier mapping, Grafana interprets the new SCIM user as if it were the internal account, effectively granting the attacker the same permissions, up to and including full administrator rights.
Affected Versions and Impacted Environments
The vendor reports that only Grafana Enterprise installations in the range 12.0.0–12.2.1 are vulnerable, and only when SCIM provisioning is enabled. If SCIM is disabled, the vulnerability cannot be triggered.
It is important to note that:
— Grafana OSS (the open-source edition) is not affected;
— Grafana Cloud, Amazon Managed Grafana, and Azure Managed Grafana have already been patched;
— SCIM support in Grafana is officially in Public Preview and not widely deployed in all production environments.
The vulnerability was identified during an internal security audit on 4 November 2025. Patches were developed and released within 24 hours. According to the investigation, there is no evidence of successful exploitation in the vendor’s managed Grafana Cloud infrastructure at the time of disclosure.
Patching, Workarounds, and Risk Mitigation
Administrators of self-managed Grafana Enterprise deployments are strongly advised to upgrade as soon as possible to one of the fixed versions: 12.3.0, 12.2.1, 12.1.3, or 12.0.6. Given the CVSS 10.0 rating and the potential for silent account takeover, this issue should be prioritized alongside other critical identity and access management (IAM) vulnerabilities.
If an immediate upgrade is not feasible, a practical short-term mitigation is to fully disable SCIM provisioning by setting both enableSCIM and user_sync_enabled to false. This closes the vulnerable code path, though it temporarily removes automated user synchronization from the IdP.
Additional defensive steps that organizations should consider include:
— auditing all IdP and SCIM integrations for least-privilege access and hardening;
— reviewing the protection of SCIM client tokens and credentials, including rotation policies;
— enabling detailed monitoring and alerting for suspicious changes to user accounts and administrator roles.
Broader Context: Identity Integrations as a High-Value Target
Recent observations from threat intelligence providers such as GreyNoise, which reported increased scanning for historic Grafana path traversal bugs, underline that Grafana instances remain an attractive target for attackers. Proactive reconnaissance for old and new vulnerabilities is a common pattern in campaigns against widely deployed monitoring and observability platforms.
Industry reports consistently highlight that attacks on authentication, authorization, and account management systems are among the leading initial access vectors. Integrations with external IdPs and protocols like SCIM significantly streamline user management but also expand the attack surface. Any logic error in how identities are mapped between systems can quickly escalate into organization-wide compromise.
This incident reinforces several key practices for security teams: conduct regular internal security reviews, avoid relying on preview or experimental features in mission-critical environments without strong compensating controls, and apply vendor patches promptly. Organizations using Grafana Enterprise and similar monitoring platforms should reevaluate their update processes, least-privilege models, and administrator activity monitoring to reduce the likelihood and impact of future identity-related vulnerabilities.
