CVE-2025-41116 is a vulnerability classified under CWE-653 (Insufficient Control of a Resource Through its Lifetime) affecting the Grafana Databricks Datasource Plugin versions 1.6.0 up to but not including 1.12.0. The flaw arises specifically when OAuth passthrough is enabled on the datasource and multiple users concurrently access the same datasource on a single Grafana instance. Under these conditions, the plugin may incorrectly associate user identifiers, resulting in the return of data belonging to a different user. This misattribution occurs due to improper session or token management within the plugin, leading to potential unauthorized data disclosure. The vulnerability impacts confidentiality but does not affect integrity or availability. Exploitation requires at least low privileges (authenticated user) and user interaction, such as accessing the datasource simultaneously with others. The CVSS 4.0 vector indicates network attack vector, low attack complexity, partial authentication, and user interaction required, with no impact on confidentiality, integrity, or availability metrics. No public exploits are known, and no patches are linked yet, but upgrading to version 1.12.0 or later is implied as a remediation step. This vulnerability is particularly relevant for environments where multiple users share datasources with OAuth passthrough enabled, a common scenario in enterprise Grafana deployments integrating with Databricks for data visualization.

For European organizations, the primary impact is unauthorized disclosure of sensitive data visualized through Grafana dashboards connected to Databricks via the vulnerable plugin. This could lead to leakage of business intelligence, personal data, or other confidential information, potentially violating GDPR and other data protection regulations. The risk is heightened in multi-tenant or shared Grafana environments common in large enterprises or managed service providers. Although the severity is low, the breach of confidentiality can damage trust, lead to compliance penalties, and expose organizations to insider threat risks. The vulnerability does not affect system integrity or availability, so operational disruption is unlikely. However, the ease of exploitation is moderate due to the need for authenticated users and specific configuration, limiting the scope to internal or trusted users with access to the Grafana instance. European organizations using Grafana for critical analytics or regulated data should prioritize addressing this vulnerability to prevent inadvertent data exposure.

1. Upgrade the Grafana Databricks Datasource Plugin to version 1.12.0 or later where the vulnerability is fixed. 2. If immediate upgrade is not possible, disable OAuth passthrough on the affected datasource to prevent user identifier mix-ups. 3. Implement strict access controls and user segregation in Grafana to minimize concurrent access to shared datasources. 4. Monitor Grafana logs for unusual access patterns or data requests that could indicate exploitation attempts. 5. Review and audit datasource configurations regularly to ensure compliance with least privilege principles. 6. Educate users about the risk of concurrent datasource usage and encourage session isolation practices. 7. Coordinate with Grafana Labs for official patches or updates and subscribe to their security advisories. 8. Consider network segmentation or additional authentication layers around Grafana instances to reduce exposure. These steps go beyond generic advice by focusing on configuration changes, user behavior, and monitoring specific to this vulnerability scenario.