CVE-2025-41115: 
Grafana vulnerability analysis and mitigation

SCIM provisioning vulnerability (CVE-2025-41115) was discovered in Grafana Enterprise and Grafana Cloud versions 12.x, affecting the user identity handling mechanism. The vulnerability was internally discovered on November 4, 2025, and carries a Critical CVSS score of 10.0. This flaw affects systems where SCIM provisioning is enabled and configured, specifically requiring both the enableSCIM feature flag and user_sync_enabled config option to be set to true (NVD, Hacker News).

The vulnerability resides in the System for Cross-domain Identity Management (SCIM) component, which was introduced in April 2025 for automated user provisioning and management. The core issue lies in how Grafana maps SCIM externalId directly to the internal user.uid, where numeric values can be interpreted as internal numeric user IDs. This implementation flaw allows a malicious or compromised SCIM client to provision a user with a numeric externalId, potentially leading to the override of internal user IDs (Hacker News).

The vulnerability can lead to serious security implications including user impersonation and privilege escalation. In specific cases, a newly provisioned user could be treated as an existing internal account, such as the Admin, potentially gaining unauthorized administrative access to the system (Hacker News).

Grafana has released security updates to address this vulnerability. The fixed versions include Grafana Enterprise 12.0.6+security-01, 12.1.3+security-01, 12.2.1+security-01, and 12.3.0. Given the severity of the issue, users are strongly advised to apply these patches immediately (Hacker News).