CVE-2025-41115 | SCIM provisioning was introduced in Grafana Enterprise and G… | CVSS 10.0 CRITICAL

Description

SCIM provisioning was introduced in Grafana Enterprise and Grafana Cloud in April to improve how organizations manage users and teams in Grafana by introducing automated user lifecycle management. In Grafana versions 12.x where SCIM provisioning is enabled and configured, a vulnerability in user identity handling allows a malicious or compromised SCIM client to provision a user with a numeric externalId, which in turn could allow to override internal user IDs and lead to impersonation or privilege escalation. This vulnerability applies only if all of the following conditions are met: - `enableSCIM` feature flag set to true - `user_sync_enabled` config option in the `[auth.scim]` block set to true

Metadata

CVE ID: CVE-2025-41115
State: PUBLISHED
Assigner: GRAFANA
Reserved: 2025-04-16 09:19 UTC
Published: 2025-11-21 14:25 UTC
Last updated: 2026-06-12 14:47 UTC
Primary CWE: CWE-266
CWE-266 Incorrect Privilege Assignment
Vendor / Product: Grafana / Grafana Enterprise
Sources: cve.org · NVD

Severity & Metrics

10.0 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

SSVC — CISA Coordinator

Exploitation: none
Automatable: yes
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
Grafana	Grafana Enterprise	—	12.0.0 < 12.2.1

Weakness (CWE)

CWE	Source	Description
CWE-266	adp	CWE-266 Incorrect Privilege Assignment

CVSS scores (1)

Score	Severity	Version	Source	Vector
10.0	CRITICAL	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

References (1)

https://grafana.com/security/security-advisories/cve-2025-41115