The vulnerability, tracked as CVE-2025-41115, affects Grafana Enterprise versions 12.0.0 through 12.2.1 and carries a maximum CVSS score of 10.0 (Critical).
The vulnerability resides in Grafana’s SCIM (System for Cross-domain Identity Management) provisioning feature, introduced in April 2025 to streamline user and team management through automated lifecycle management.
However, a critical flaw in user identity handling allows a malicious or compromised SCIM client to provision users with numeric external identifiers that override internal user IDs, potentially granting unauthorized actors administrative access.
The issue only manifests when both the enableSCIM feature flag is set to true and the user_sync_enabled configuration option is enabled in the auth.scim block.
Organizations without this specific configuration remain unaffected by this vulnerability. Significantly, Grafana OSS users are not impacted by this security issue.
Grafana Labs has released patched versions across all affected branches: Grafana Enterprise 12.3.0 (latest), 12.2.1, 12.1.3, and 12.0.6.
The company coordinated with all cloud providers offering Grafana Cloud Pro, including Amazon Managed Grafana and Azure Managed Grafana, ensuring patches were applied before the public announcement.
Organizations running Grafana Enterprise should prioritize upgrading to patched versions immediately.
The vulnerability poses a significant risk to multi-tenant environments where user separation and privilege isolation are critical security controls.
Grafana’s security team discovered the vulnerability on November 4, 2025, during internal audits and initiated an immediate incident response.
The company verified that Grafana Cloud instances were not exploited and deployed an internal patch within hours.
The complete timeline demonstrates responsible disclosure practices, with the public announcement occurring on November 19, 2025, coinciding with the Grafana 12.3 release.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2025-41115 |
| Vulnerability Type | Incorrect Privilege Assignment / User ID Override |
| Affected Product | Grafana Enterprise 12.0.0 – 12.2.1 |
| CVSS Score | 10.0 (Critical) |
| Attack Vector | Network (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) |
| Patched Versions | 12.3.0, 12.2.1, 12.1.3, 12.0.6 |
| Impact | Privilege escalation, admin impersonation, unauthorized data access |
| Prerequisites | SCIM provisioning and user_sync_enabled both configured |
Organizations using SCIM provisioning should verify their configurations and deploy patches without delay to prevent potential privilege escalation attacks.
Find this Story Interesting! Follow us on Google News, LinkedIn and X to Get More Instant Updates
The post Attackers Escalate Privilege Through Critical Grafana Vulnerability appeared first on Cyber Security News.
Tension: We perform listening instead of practicing presence, creating distance while appearing close. Noise: The…
Tension: The command-and-control leadership that built successful companies in 2010 now creates anxious, depleted teams.…
A crew member working on the live-action How to Train Your Dragon 2 has reportedly…
Alien: Rogue Incursion - Part One: Evolved Edition is now officially a Nintendo Switch 2…
A crew member working on the live-action How to Train Your Dragon 2 has reportedly…
Alien: Rogue Incursion - Part One: Evolved Edition is now officially a Nintendo Switch 2…
This website uses cookies.