CVE-2025-41115: Vulnerability in Grafana Grafana Enterprise
SCIM provisioning was introduced in Grafana Enterprise and Grafana Cloud in April to improve how organizations manage users and teams in Grafana by introducing automated user lifecycle management. In Grafana versions 12.x where SCIM provisioning is enabled and configured, a vulnerability in user identity handling allows a malicious or compromised SCIM client to provision a user with a numeric externalId, which in turn could allow to override internal user IDs and lead to impersonation or privilege escalation. This vulnerability applies only if all of the following conditions are met: - `enableSCIM` feature flag set to true - `user_sync_enabled` config option in the `[auth.scim]` block set to true
AI Analysis
Technical Summary
CVE-2025-41115 affects Grafana Enterprise 12.0.0 with SCIM provisioning enabled (enableSCIM=true and user_sync_enabled=true). The vulnerability arises from improper handling of user identity during SCIM provisioning, allowing a malicious SCIM client to assign a numeric externalId that can override internal user IDs. This can result in impersonation or privilege escalation within the Grafana environment. The CVSS 3.1 base score is 10.0 (critical), reflecting network attack vector, no privileges required, no user interaction, and complete confidentiality, integrity, and availability impact.
Potential Impact
Successful exploitation allows an attacker controlling or impersonating a SCIM client to override internal user IDs by provisioning users with numeric externalIds. This can lead to unauthorized access, user impersonation, and privilege escalation within Grafana Enterprise. The impact is critical, affecting confidentiality, integrity, and availability of the system.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, organizations should consider disabling SCIM provisioning (set enableSCIM and user_sync_enabled to false) if feasible to mitigate risk. Monitor vendor communications for updates and apply patches promptly once available.
CVE-2025-41115: Vulnerability in Grafana Grafana Enterprise
Description
SCIM provisioning was introduced in Grafana Enterprise and Grafana Cloud in April to improve how organizations manage users and teams in Grafana by introducing automated user lifecycle management. In Grafana versions 12.x where SCIM provisioning is enabled and configured, a vulnerability in user identity handling allows a malicious or compromised SCIM client to provision a user with a numeric externalId, which in turn could allow to override internal user IDs and lead to impersonation or privilege escalation. This vulnerability applies only if all of the following conditions are met: - `enableSCIM` feature flag set to true - `user_sync_enabled` config option in the `[auth.scim]` block set to true
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2025-41115 affects Grafana Enterprise 12.0.0 with SCIM provisioning enabled (enableSCIM=true and user_sync_enabled=true). The vulnerability arises from improper handling of user identity during SCIM provisioning, allowing a malicious SCIM client to assign a numeric externalId that can override internal user IDs. This can result in impersonation or privilege escalation within the Grafana environment. The CVSS 3.1 base score is 10.0 (critical), reflecting network attack vector, no privileges required, no user interaction, and complete confidentiality, integrity, and availability impact.
Potential Impact
Successful exploitation allows an attacker controlling or impersonating a SCIM client to override internal user IDs by provisioning users with numeric externalIds. This can lead to unauthorized access, user impersonation, and privilege escalation within Grafana Enterprise. The impact is critical, affecting confidentiality, integrity, and availability of the system.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, organizations should consider disabling SCIM provisioning (set enableSCIM and user_sync_enabled to false) if feasible to mitigate risk. Monitor vendor communications for updates and apply patches promptly once available.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GRAFANA
- Date Reserved
- 2025-04-16T09:19:26.442Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 6920778b69daa88a9a1ad75d
Added to database: 11/21/2025, 2:30:35 PM
Last enriched: 4/25/2026, 11:05:00 PM
Last updated: 5/10/2026, 5:06:30 AM
Views: 603
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.