Grafana Enterprise security update: critical severity security fix for CVE-2025-41115
Along with the release of Grafana Enterprise 12.3, we are releasing updated versions of Grafana Enterprise 12.2.1, 12.1.3 and 12.0.6, all of which contain a fix for a critical severity vulnerability (CVE-2025-41115) discovered in the SCIM (System for Cross-domain Identity Management). This issue could allow privilege escalation or user impersonation under certain configurations.
Grafana Enterprise 12.3.0 latest release with security patch:
Grafana Enterprise 12.2.1 with security patch:
Grafana Enterprise 12.1.3 with security patch:
Grafana Enterprise 12.0.6 with security patch:
Grafana Labs customers received patch versions in advance and appropriate patches have been applied to Grafana Cloud. As always, we closely coordinated with all cloud providers licensed to offer Grafana Cloud Pro. They have received early notification under embargo and confirmed that their offerings are secure at the time of this announcement. This is applicable to Amazon Managed Grafana and Azure Managed Grafana.
Grafana OSS users are not affected by this issue.
Incorrect privilege assignment (CVE-2025-41115)
Summary
SCIM provisioning was introduced in Grafana Enterprise and Grafana Cloud in April to improve how organizations manage users and teams in Grafana by introducing automated user lifecycle management.
In Grafana versions 12.x where SCIM provisioning is enabled and configured, a vulnerability in user identity handling allows a malicious or compromised SCIM client to provision a user with a numeric externalId, which in turn could allow to override internal user IDs and lead to impersonation or privilege escalation.
This vulnerability applies only if all of the following conditions are met:
enableSCIMfeature flag set to true (docs on the SCIM provisioning feature)user_sync_enabledconfig option in the[auth.scim]block set to true
The CVSS score for this vulnerability is 10.0 Critical.
Impact
Grafana maps the SCIM externalId directly to the internal user.uid; therefore, numeric values (e.g. “1”) may be interpreted as internal numeric user IDs.
In specific cases this could allow the newly provisioned user to be treated as an existing internal account, such as the Admin, leading to potential impersonation or privilege escalation.
Impacted versions
The vulnerability impacts Grafana Enterprise running on the following versions:
- Grafana Enterprise 12.0.0 to 12.2.1
Appropriate patches have been applied to Grafana Cloud.
Solutions and mitigations
If your instance is vulnerable, we strongly recommend upgrading to one of the patched versions as soon as possible.
Timeline and post-incident review
Here is a detailed incident timeline starting from when we originally introduced the issue. All times are in UTC.
- 2025-11-04 19:14 As part of internal audit and testing, we discovered that there is a scenario where user IDs can be overwritten when using SCIM with specific configuration.
- 2025-11-04 16:30 Internal incident declared. CVE-2025-41115 reserved.
- 2025-11-04 16:45 We concluded that the vulnerability has not been exploited in Grafana Cloud. Introduced immediate patch.
- 2025-11-05 17:52 Private release.
- 2025-11-19 10:33 Public release.
- 2025-11-19 20:00 Blog post published.
Reporting security issues
If you think you have found a security vulnerability, please go to our Report a security issue page to learn how to send a security report.
Grafana Labs will send you a response indicating the next steps in handling your report. After the initial reply to your report, the security team will keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance.
Important: We ask you to not disclose the vulnerability before it has been fixed and announced, unless you received a response from the Grafana Labs security team that you can do so.
You can also read more about our bug bounty program and find out who has made our Security Hall of Fame.
Security announcements
We maintain a security category on our blog, where we will always post a summary, remediation, and mitigation details for any patch containing security fixes. You can also subscribe to our RSS feed.
