Introduction
Privilege escalation in enterprise observability platforms can lead to unauthorized access to sensitive monitoring data and administrative controls. CVE-2025-41115, a critical vulnerability in Grafana Enterprise's SCIM provisioning, demonstrates how a subtle flaw in identity mapping can have far-reaching consequences for organizations relying on automated user lifecycle management.
About Grafana Labs: Grafana Labs is a major player in the observability and monitoring space, with its flagship product Grafana deployed by thousands of organizations globally. Grafana Enterprise extends the open-source platform with advanced features for large-scale environments, while Grafana Cloud provides managed services. The company is recognized for its rapid adoption in cloud-native and enterprise IT environments, making security issues in its products highly impactful across the tech industry.
Technical Information
CVE-2025-41115 affects Grafana Enterprise versions 12.0.0 through 12.2.1 when SCIM provisioning is enabled and configured. The vulnerability is rooted in how Grafana handles the SCIM externalId attribute during user provisioning. When a SCIM client provisions a user with a numeric externalId (for example, 1), Grafana's logic may incorrectly map this value directly to its internal user.uid field, which is also numeric and used as the primary key for user accounts. If the numeric externalId matches an internal privileged user ID (such as the administrator account, typically 1), the newly provisioned user may be treated as that privileged account. This results in privilege escalation or user impersonation, as the attacker-controlled SCIM client effectively overrides the internal user mapping. The issue is classified as CWE-266 (Incorrect Privilege Assignment).
This vulnerability is only exploitable if both the enableSCIM feature flag and the user_sync_enabled option in the [auth.scim] configuration block are set to true. Grafana OSS is not affected. No public code snippets have been released for this vulnerability, and exploitation relies on precise control of SCIM provisioning requests and knowledge of internal user ID assignments.
Patch Information
To address the critical vulnerability identified as CVE-2025-41115 in Grafana Enterprise's SCIM provisioning feature, Grafana Labs has released updated versions that include essential security patches. These versions are:
- Grafana Enterprise 12.3.0: This is the latest release incorporating the security fix.
- Grafana Enterprise 12.2.1: A backported release with the necessary patch.
- Grafana Enterprise 12.1.3: Another backported release containing the fix.
- Grafana Enterprise 12.0.6: Includes the security patch for users on this version.
These patches rectify the flaw in user identity handling within the SCIM provisioning system, which previously allowed a malicious or compromised SCIM client to provision a user with a numeric externalId. This could override internal user IDs, potentially leading to impersonation or privilege escalation.
It's important to note that this vulnerability affects Grafana Enterprise versions 12.0.0 through 12.2.1 when SCIM provisioning is enabled and configured. Grafana OSS users are not impacted by this issue.
For Grafana Cloud users, appropriate patches have been applied to ensure security. Additionally, cloud providers licensed to offer Grafana Cloud Pro, such as Amazon Managed Grafana and Azure Managed Grafana, have received early notification and confirmed that their offerings are secure as of the announcement date.
To safeguard your Grafana Enterprise instance, it is strongly recommended to upgrade to one of the patched versions mentioned above. This proactive measure will mitigate the risk associated with CVE-2025-41115 and enhance the overall security of your system.
Patch source: Grafana Labs Security Advisory
Affected Systems and Versions
- Products: Grafana Enterprise (not OSS)
- Affected versions: 12.0.0 through 12.2.1
- Vulnerable configurations: Both
enableSCIMfeature flag anduser_sync_enabledoption in the[auth.scim]block must be set totrue - Not affected: Grafana OSS, Grafana Enterprise versions prior to 12.0.0 or after 12.2.1, and any deployments where SCIM provisioning is not enabled
Vendor Security History
Grafana Labs has previously addressed several privilege escalation and authentication bypass vulnerabilities in its products, including:
- CVE-2022-24812 (Privilege Escalation in API Keys)
- CVE-2022-36062 (Privilege Escalation in Folder Permissions)
- CVE-2022-35957 (Privilege Escalation in Auth Proxy)
- CVE-2022-31107 (Account Takeover in OAuth)
The company maintains a public security advisory database and typically releases patches within weeks of vulnerability discovery. The SCIM provisioning feature was introduced in April 2025 as a public preview, and this rapid feature rollout may have contributed to the emergence of this vulnerability.
