User Identity Handling Vulnerability in Grafana Enterprise and Cloud
CVE-2025-41115

10CRITICAL

Key Information:

Vendor: Grafana
Status: Grafana Enterprise
Vendor: CVE Published:; 21 November 2025

Badges

📈 Score: 656👾 Exploit Exists🟡 Public PoC📰 News Worthy

What is CVE-2025-41115?

CVE-2025-41115 is a security vulnerability discovered in Grafana Enterprise and Grafana Cloud, focusing specifically on user identity management. Grafana, a widely used open-source analytics and monitoring platform, introduced SCIM (System for Cross-domain Identity Management) provisioning to enhance user and team management via automated user lifecycle processes. This vulnerability arises in Grafana versions 12.x when SCIM provisioning is enabled and configured. It allows a malicious actor or compromised SCIM client to provision a user with a numeric external ID that can potentially override existing internal user IDs. As a result, this could facilitate user impersonation or privilege escalation, creating significant risks for any organization relying on Grafana for monitoring and analytics.

The vulnerability is particularly concerning as it triggers under specific configurations, specifically when both the enableSCIM feature flag and the user_sync_enabled config option are set to true. If exploited, an attacker can manipulate user identities, undermining trust and security protocols within the organization.

Potential impact of CVE-2025-41115

User Impersonation: The vulnerability enables unauthorized users to take on the identity of legitimate users, potentially leading to unauthorized access to sensitive data and critical operations within Grafana.
Privilege Escalation: By overriding internal user IDs, an attacker may escalate their privileges within the system, allowing them to perform actions that should be restricted, which can compromise data integrity and confidentiality.
Automated Exploitation Risks: If a compromised SCIM client is exploited, organizations could face widespread identity manipulation across their user base, creating extensive vulnerabilities not only within Grafana but potentially also affecting integrated systems and applications that rely on user authentication processes.

Affected Version(s)

Grafana Enterprise 12.0.0 < 12.2.1

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

Blackash-CVE-2025-41115
Created by B1ack4sh

News Articles

BleepingComputer

CVE-2025-41115

Grafana warns of max severity admin spoofing vulnerability

Grafana Labs is warning of a maximum severity vulnerability (CVE-2025-41115) in its Enterprise product that can be exploited to treat new users as administrators or for privilege escalation.

13 hours ago

References

https://grafana.com/security/security-advisories/CVE-2025...

vendor-advisory

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Nov 21, 2025
👾
Exploit known to exist
Nov 21, 2025
📰
First article discovered by BleepingComputer
Nov 21, 2025
Vulnerability published
Nov 21, 2025
Vulnerability Reserved
Apr 16, 2025

JSON