User Identity Handling Vulnerability in Grafana Enterprise and Cloud
CVE-2025-41115
Key Information:
- Vendor
Grafana
- Status
- Vendor
- CVE Published:
- 21 November 2025
Badges
What is CVE-2025-41115?
CVE-2025-41115 is a security vulnerability discovered in Grafana Enterprise and Grafana Cloud, focusing specifically on user identity management. Grafana, a widely used open-source analytics and monitoring platform, introduced SCIM (System for Cross-domain Identity Management) provisioning to enhance user and team management via automated user lifecycle processes. This vulnerability arises in Grafana versions 12.x when SCIM provisioning is enabled and configured. It allows a malicious actor or compromised SCIM client to provision a user with a numeric external ID that can potentially override existing internal user IDs. As a result, this could facilitate user impersonation or privilege escalation, creating significant risks for any organization relying on Grafana for monitoring and analytics.
The vulnerability is particularly concerning as it triggers under specific configurations, specifically when both the enableSCIM feature flag and the user_sync_enabled config option are set to true. If exploited, an attacker can manipulate user identities, undermining trust and security protocols within the organization.
Potential impact of CVE-2025-41115
-
User Impersonation: The vulnerability enables unauthorized users to take on the identity of legitimate users, potentially leading to unauthorized access to sensitive data and critical operations within Grafana.
-
Privilege Escalation: By overriding internal user IDs, an attacker may escalate their privileges within the system, allowing them to perform actions that should be restricted, which can compromise data integrity and confidentiality.
-
Automated Exploitation Risks: If a compromised SCIM client is exploited, organizations could face widespread identity manipulation across their user base, creating extensive vulnerabilities not only within Grafana but potentially also affecting integrated systems and applications that rely on user authentication processes.
Affected Version(s)
Grafana Enterprise 12.0.0 < 12.2.1
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
News Articles
November 2025 Cybersecurity Threat Advisory | Crowe UAE
Stay ahead of cyber threats with in-depth analysis of critical vulnerabilities, major attacks, and expert recommendations from the November 17–23, 2025 Threat Advisory. Learn about CVEs, brute-force surges, and proactive defense for your organization.
3 weeks ago
CVE-2025-41115: A Maximum-Severity Privilege Escalation Vulnerability in the Grafana SCIM Component | SOC Prime
Explore details for CVE-2025-41115 in Grafana SCIM, leading to impersonation and privilege escalation, with an overview on our SOC Prime blog.
3 weeks ago
The Cyber ExpressCVE-2025-41115Grafana Flags Critical SCIM Vulnerability CVE-2025-41115
Grafana warns of a critical SCIM flaw, CVE-2025-41115, that may allow admin impersonation. Organizations are urged to review SCIM and SAML mappings immediately.
3 weeks ago
References
CVSS V3.1
Timeline
- 🟡
Public PoC available
- 👾
Exploit known to exist
- 📰
First article discovered by GBHackers News
Vulnerability published
Vulnerability Reserved