CVE-2025-41115

Name of the Vulnerable Software and Affected Versions Grafana versions 12.0.0 through 12.2.1 Grafana versions 12.0.6, 12.1.3, 12.1.4, 12.2.1, and 12.3.0

Description A critical vulnerability exists in Grafana Enterprise versions 12.x related to the System for Cross-domain Identity Management (SCIM) provisioning feature. This flaw allows a malicious or compromised SCIM client to provision a user with a numeric externalId, potentially overriding internal user IDs and leading to impersonation or privilege escalation. The vulnerability is triggered when both the enableSCIM feature flag and the user sync enabled configuration option within the [auth.scim] block are set to true. An attacker can exploit this by sending a crafted SCIM request to the /api/scim/v2/Users endpoint with a manipulated externalId parameter. The vulnerability allows an attacker to gain administrative access. Approximately 601,000 instances are exposed.

Recommendations Update to Grafana Enterprise version 12.0.6 Update to Grafana Enterprise version 12.1.3 Update to Grafana Enterprise version 12.1.4 Update to Grafana Enterprise version 12.2.1 Update to Grafana Enterprise version 12.3.0 If SCIM is not required, disable the enableSCIM feature flag and the user sync enabled configuration option in the [auth.scim] block. Monitor logs and network traffic for suspicious SCIM requests, particularly those with numeric externalId values.