As we reported yesterday, Grafana has released emergency security patches to fix a critical severity vulnerability. This flaw, tagged CVE-2025-41115, has a CVSS score of 10.0 at its highest. According to the advisory, this vulnerability exists in the SCIM (System for Cross-domain Identity Management) component, used to automate the exchange and management of user identities. As per an internal audit carried out on Nov. 4, 2025, something had gone terribly awry. This vulnerability has obvious serious risks including privilege escalation and user impersonation with certain configurations enabled.
Introduced in April 2025 and in public preview right now, SCIM enables users to manage identities across multiple domains easily. The vulnerability was a big enough worry for Grafana that they took quick steps towards protecting users from potential exploits.
Vulnerability Details
CVE-2025-41115 would allow an attacker to control how identities are handled for users on Grafana versions 12.x. This vulnerability only impacts systems that have SCIM provisioning enabled and configured. As such, in this scenario, a malicious or compromised SCIM client could provision a user with a numeric externalId. This further action could give the attacker the ability to bypass internal user IDs to achieve impersonation or privilege escalation.
In a separate blog post, Vardan Torosyan from Grafana went further explaining what this vulnerability means for us.
“In Grafana versions 12.x where SCIM provisioning is enabled and configured, a vulnerability in user identity handling allows a malicious or compromised SCIM client to provision a user with a numeric externalId, which in turn could allow for overriding internal user IDs and lead to impersonation or privilege escalation,” – Vardan Torosyan
In response to this dire threat, Grafana has immediately deployed emergency fixes meant to curb CVE-2025-41115. We highly recommend users continue to update their systems to the most recent version. Don’t wait, cast your vote today to defend yourself against this major vulnerability! This batch of security updates features improvements aimed at stopping unwanted intruders and protecting user account information.
“Grafana maps the SCIM externalId directly to the internal user.uid; therefore, numeric values (e.g. ‘1’) may be interpreted as internal numeric user IDs,” – Vardan Torosyan
Mitigation Measures
Grafana has a strong security posture and takes security seriously by being proactive in finding and fixing potential vulnerabilities. Our commitment to safety is to develop quality products that users can feel confident and secure operating.
Grafana’s ongoing commitment to security is evident through its proactive approach to identifying and resolving vulnerabilities, ensuring that users can utilize their products safely and effectively.
