Grafana has issued security updates to fix a severe vulnerability (CVE-2025-41115) affecting versions 12.0.0 to 12.2.1, which could enable privilege escalation or user impersonation. The flaw resides in the SCIM component used for automated user management, and exploitation requires specific configuration settings. #Grafana #CVE2025-41115
Keypoints
- The vulnerability affects Grafana Enterprise versions 12.0.0 to 12.2.1 with enabled and configured SCIM provisioning.
- The flaw allows a malicious SCIM client to provision users with numeric externalId values, potentially overriding internal user IDs.
- Successful exploitation depends on both the enableSCIM feature flag and user_sync_enabled settings being enabled.
- The issue can lead to impersonation of internal accounts, such as Admin, due to direct mapping of externalId to internal user IDs.
- Grafana released patches in versions 12.0.6, 12.1.3, 12.2.1, and 12.3.0, advising users to apply updates promptly.
Read More: https://thehackernews.com/2025/11/grafana-patches-cvss-100-scim-flaw.html