Grafana Patches CVSS 10.0 SCIM Flaw Enabling Impersonation and Privilege Escalation

Grafana Patches CVSS 10.0 SCIM Flaw Enabling Impersonation and Privilege Escalation

Posted on By CWS

Nov 21, 2025Ravie LakshmananVulnerability / Risk Mitigation
Grafana has launched safety updates to deal with a most severity safety flaw that would permit privilege escalation or consumer impersonation below sure configurations.
The vulnerability, tracked as CVE-2025-41115, carries a CVSS rating of 10.0. It resides within the System for Cross-domain Id Administration (SCIM) part that enables automated consumer provisioning and administration. First launched in April 2025, it is at present in public preview.
“In Grafana variations 12.x the place SCIM provisioning is enabled and configured, a vulnerability in consumer id dealing with permits a malicious or compromised SCIM consumer to provision a consumer with a numeric externalId, which in flip might permit for overriding inner consumer IDs and result in impersonation or privilege escalation,” Grafana’s Vardan Torosyan stated.

That stated, profitable exploitation hinges on each situations being met –

enableSCIM characteristic flag is about to true
user_sync_enabled config choice within the [auth.scim] block is about to true

The shortcoming impacts Grafana Enterprise variations from 12.0.0 to 12.2.1. It has been addressed within the following variations of the software program –

Grafana Enterprise 12.0.6+security-01
Grafana Enterprise 12.1.3+security-01
Grafana Enterprise 12.2.1+security-01
Grafana Enterprise 12.3.0

“Grafana maps the SCIM externalId on to the interior consumer.uid; due to this fact, numeric values (e.g. ‘1’) could also be interpreted as inner numeric consumer IDs,” Torosyan stated. “In particular circumstances this might permit the newly provisioned consumer to be handled as an present inner account, such because the Admin, resulting in potential impersonation or privilege escalation.”
The analytics and observability platform stated the vulnerability was found internally on November 4, 2025, throughout an audit and testing. Given the severity of the difficulty, customers are suggested to use the patches as quickly as potential to mitigate potential dangers.

The Hacker News Tags:, , , , , , , ,

Related Posts

U.S. Treasury Sanctions DPRK IT-Worker Scheme, Exposing 0K Crypto Transfers and M+ Profits U.S. Treasury Sanctions DPRK IT-Worker Scheme, Exposing $600K Crypto Transfers and $1M+ Profits The Hacker News
Cybercrime Trends: Codespaces Exploits and More Cybercrime Trends: Codespaces Exploits and More The Hacker News
LockBit, Qilin, and DragonForce Join Forces to Dominate the Ransomware Ecosystem LockBit, Qilin, and DragonForce Join Forces to Dominate the Ransomware Ecosystem The Hacker News
Iranian-Backed Pay2Key Ransomware Resurfaces with 80% Profit Share for Cybercriminals Iranian-Backed Pay2Key Ransomware Resurfaces with 80% Profit Share for Cybercriminals The Hacker News
CISA Highlights Exploited Roundcube Vulnerabilities CISA Highlights Exploited Roundcube Vulnerabilities The Hacker News
Iran-Linked MuddyWater Targets 100+ Organisations in Global Espionage Campaign Iran-Linked MuddyWater Targets 100+ Organisations in Global Espionage Campaign The Hacker News