CRITICAL🇵🇱 Wersja polska

CVE-2025-41115

CVSS 10.0v3.1pub. 2025-11-21upd. 2026-01-08

SCIM provisioning was introduced in Grafana Enterprise and Grafana Cloud in April to improve how organizations manage users and teams in Grafana by introducing automated user lifecycle management. In Grafana versions 12.x where SCIM provisioning is enabled and configured, a vulnerability in user identity handling allows a malicious or compromised SCIM client to provision a user with a numeric externalId, which in turn could allow to override internal user IDs and lead to impersonation or privilege escalation. This vulnerability applies only if all of the following conditions are met: - `enableSCIM` feature flag set to true - `user_sync_enabled` config option in the `[auth.scim]` block set to true

🤖 AI Analysis
How it works

The SCIM provisioning feature, introduced for automatic user lifecycle management, improperly handles the value of the externalId field. A malicious or compromised SCIM client can provide a numeric externalId value when creating or updating a user. Such a value may be treated by Grafana as an internal user ID, making it possible to overwrite existing account identifiers. As a result, an attacker can gain access to another user's account or escalate their own privileges to a higher level.

Impact

An attacker can perform privilege escalation and obtain the privileges of any user in the system, including administrators, or impersonate an existing account. In an extreme scenario, complete takeover of the Grafana instance is possible with access to sensitive data, dashboards, and configuration.

Mitigation & patch

Apply patches available from the vendor according to the references (https://grafana.com/security/security-advisories/CVE-2025-41115). Until the update is applied, it is recommended to disable SCIM provisioning by setting `enableSCIM` to `false` or `user_sync_enabled` to `false` in the `[auth.scim]` configuration if this functionality is not essential.

Who is affected

Grafana Enterprise and Grafana Cloud version 12.x, only when both conditions are simultaneously met: feature flag `enableSCIM` set to `true` and the `user_sync_enabled` option in the `[auth.scim]` section set to `true`.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Grafana

    APP
    Grafana
    12.0.0 – 12.2.1 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
LPE
CWE
References

Related vulnerabilities

CVE-2021-39226CRITICAL9.8⚠ KEVten sam produkt

Grafana is an open source data visualization platform. In affected versions unauthenticated and authenticated ...

CVE-2026-27876CRITICAL9.1PL ✓ten sam produkt

RCE w Grafana przez SQL Expressions i plugin Enterprise (CVE-2026-27876)

CVE-2024-9264CRITICAL9.4PL ✓ten sam produkt

Grafana: command injection i local file inclusion przez SQL Expressions (duckdb)

CVE-2023-3128CRITICAL9.4ten sam produkt

Grafana is validating Azure AD accounts based on the email claim. On Azure AD, the profile email field is no...

CVE-2022-39328CRITICAL9.8ten sam produkt

Grafana is an open-source platform for monitoring and observability. Versions starting with 9.2.0 and less tha...