What is CVE-2025-41115 in Grafana Enterprise?

CVE-2025-41115 is a critical severity vulnerability with a CVSS score of 10.0 affecting Grafana Enterprise's SCIM provisioning feature. The flaw allows malicious actors to escalate privileges or impersonate users, including administrators, due to incorrect user identity handling within the SCIM provisioning system.

What conditions are required for CVE-2025-41115 to be exploited?

The vulnerability can only be exploited when both configuration conditions are met: the enableSCIM feature flag must be set to true, and the user_sync_enabled config option in the [auth.scim] block must be enabled. Organizations without this configuration remain unaffected.

Which Grafana Enterprise versions are affected by CVE-2025-41115?

Affected versions include Grafana Enterprise 12.0.0 through 12.2.1. All Grafana Cloud instances have been patched, and managed service providers were notified early to address the vulnerability before public disclosure.

How can organizations fix the CVE-2025-41115 vulnerability?

Organizations should upgrade to patched versions: Grafana Enterprise 12.3.0, or point releases 12.2.1, 12.1.3, or 12.0.6. Grafana Labs strongly recommends that organizations running vulnerable instances upgrade as soon as possible.

Advisory

Grafana Enterprise patches critical SCIM flaw enabling privilege escalation

published: Nov. 21, 2025

Take action: If you're running Grafana Enterprise 12.0.0 through 12.2.1 with SCIM provisioning enabled, review the specific configuration. If your configuration matches the exploitable one, this is a priority - attackers can gain full admin access to your system. Otherwise, plan a normal update.

Learn More

Grafana Labs has released security updates for Grafana Enterprise patching a critical severity vulnerability in its SCIM (System for Cross-domain Identity Management) provisioning feature that could allow malicious actors to escalate privileges or impersonate users, including administrators, under specific configurations.

The flaw is tracked as CVE-2025-41115 (CVSS score 10.0) is caused by incorrect user identity handling within the SCIM provisioning system introduced in April 2025 to automate user lifecycle management across organizations. When SCIM provisioning is active, Grafana maps the SCIM externalId directly to the internal user.uid without proper validation. This allows a compromised or malicious SCIM client to provision users with numeric external identifiers that can override legitimate internal user IDs. The exploit enables newly provisioned accounts to assume the identity of existing high-privilege users, such as the Admin account, effectively granting unauthorized administrative access to the entire Grafana instance.

The vulnerability occurs only when both of these configuration conditions are met:

the enableSCIM feature flag must be set to true,
the user_sync_enabled config option in the [auth.scim] block is enabled.

Organizations without this configuration remain unaffected. Affected versions include Grafana Enterprise 12.0.0 through 12.2.1. Patches have been applied to all Grafana Cloud instances, and coordinated early notification ensured managed service providers addressed the vulnerability before public disclosure.

Grafana Labs has released patched versions across all affected release branches. Organizations can upgrade to Grafana Enterprise 12.3.0 (the latest release with the security patch), or apply point releases 12.2.1, 12.1.3, or 12.0.6. The company strongly recommends that organizations running vulnerable instances upgrade as soon as possible.

Grafana Enterprise patches critical SCIM flaw enabling privilege escalation