Grafana Warns of Critical Admin Spoofing Vulnerability

In a recent security advisory, Grafana Labs has raised an alarm regarding a severe vulnerability (CVE-2025-41115) present in its Enterprise product. This vulnerability poses a significant risk as it can be exploited to elevate new users to administrator status or facilitate privilege escalation.

The exploit is only viable when SCIM (System for Cross-domain Identity Management) provisioning is activated and properly configured within the system.

Specifically, both the ‘enableSCIM’ feature flag and the ‘user_sync_enabled’ options must be set to true to permit a malicious or compromised SCIM client to provision a user with a numeric externalId that corresponds to an internal account, potentially including administrators.

The externalId serves as a SCIM bookkeeping attribute utilized by the identity provider to monitor users.

Due to Grafana’s direct mapping of this attribute to its internal user.uid, a numeric externalId such as “1” could potentially be misinterpreted as an existing internal account, thereby enabling impersonation or privilege escalation.

According to Grafana’s documentation, SCIM provisioning is presently in ‘Public Preview,’ with limited support available. Consequently, the adoption of this feature may not be widespread.

Grafana is a widely used data visualization and monitoring platform across various organizations, ranging from startups to Fortune 500 companies, for transforming metrics, logs, and operational data into dashboards, alerts, and analytics.

The vulnerability CVE-2025-41115 impacts Grafana Enterprise versions between 12.0.0 and 12.2.1 when SCIM is enabled.

While Grafana OSS users remain unaffected, Grafana Cloud services, including Amazon Managed Grafana and Azure Managed Grafana, have already received the necessary patches.

For administrators of self-managed installations, mitigating the risk involves applying one of the following updates:

• Grafana Enterprise version 12.3.0
• Grafana Enterprise version 12.2.1
• Grafana Enterprise version 12.1.3
• Grafana Enterprise version 12.0.6

“If your instance is vulnerable, we strongly recommend upgrading to one of the patched versions as soon as possible,” advises Grafana Labs.

The vulnerability was identified during internal auditing on November 4, with a security update rolled out approximately 24 hours later.

During this period, Grafana Labs conducted an investigation and confirmed that the flaw had not been exploited in Grafana Cloud.

The public release of the security update and the accompanying bulletin followed on November 19.

Grafana users are urged to promptly apply available patches or adjust the configuration (disable SCIM) to eliminate potential exploitation avenues.

Recently, GreyNoise reported a heightened scanning activity targeting an old path traversal flaw in Grafana, emphasizing the importance of addressing vulnerabilities promptly.

Update 11/22 – Grafana Labs provided the following statement to BleepingComputer:

“At Grafana Labs, the security of our customers and their data is paramount. As soon as we identified this SCIM-related vulnerability affecting certain configurations in use by Grafana Enterprise and Grafana Cloud, our teams acted immediately to investigate, develop, and test a fix. Grafana Labs customers received patched versions in advance, and the appropriate protections have already been applied. We also worked closely under embargo with all cloud providers licensed to offer Grafana Cloud Pro to ensure their environments were secured ahead of today’s disclosure. It’s important to note that Grafana OSS users are not affected by this issue. We strongly encourage any affected customers to upgrade to the latest patched release as soon as possible. We remain committed to transparency and to continuously improving the security of the Grafana platform.” – Joe McManus, CISO, Grafana Labs