editorially independent. We may make money when you click on links
to our partners.
Learn More
A newly disclosed security flaw in Grafana Enterprise has received a maximum-severity CVSS score of 10.0.
The issue affects Grafana’s System for Cross-domain Identity Management (SCIM) provisioning feature and could allow attackers to impersonate existing users, including administrators, under certain configurations.
In its advisory, Grafana said this vulnerability could lead to “… potential impersonation or privilege escalation.”
Inside the Grafana SCIM Privilege Escalation Flaw
Grafana introduced SCIM provisioning to streamline automated user lifecycle management, enabling identity providers to create, update, and deprovision users through standardized API calls.
The vulnerability (CVE-2025-41115) stems from a logic flaw in how Grafana Enterprise interprets the externalId attribute supplied by SCIM clients.
Under normal conditions, externalId should function only as an opaque, provider-supplied identifier used to correlate external identities with internal user objects.
Instead, Grafana mapped the externalId field directly to the internal user.uid — the integer-based identifier that determines a user’s identity and privilege level inside Grafana.
This meant that if a SCIM client, whether malicious or compromised, submitted a numeric externalId such as “1,” Grafana could mistake that value for the internal UID of an existing account.
If that UID corresponded to the built-in Administrator account, the newly provisioned user would be treated by the system as the Admin itself.
This misalignment between external identity metadata and core internal identifiers created a dangerous privilege collision.
An attacker with access to a SCIM client could craft a provisioning request that effectively overwrote or impersonated existing users, granting themselves full administrative rights without ever needing to authenticate through Grafana’s standard login flow.
For exploitation to occur, two specific configuration conditions must be enabled simultaneously. First, the enableSCIM=true feature flag must be active, which turns on Grafana’s SCIM provisioning capability.
Second, the [auth.scim] user_sync_enabled=true option must be set, allowing SCIM to create and manage user accounts within Grafana.
Without both settings enabled at the same time, the vulnerability cannot be triggered.
Only deployments meeting both conditions — and running affected versions 12.0.0 through 12.2.1 — were exposed to the vulnerability.
Grafana OSS users were not impacted because SCIM provisioning is an Enterprise-only feature.
Grafana Labs discovered the issue during an internal security audit.
Patches were released for all affected versions and Grafana confirmed that there was no evidence of exploitation.
How to Protect Against Grafana SCIM Exploits
The following measures outline the steps organizations should take to protect against impersonation, detect suspicious SCIM activity, and ensure no unauthorized access persists after remediation.
- Upgrade to a patched Grafana Enterprise version and disable SCIM provisioning until updates are applied.
- Restrict SCIM access by enforcing mTLS or strong client authentication and limiting traffic to approved identity provider sources.
- Audit SCIM and IdP logs for unexpected provisioning events, especially numeric externalId values or new privileged accounts.
- Monitor Grafana for anomalous authentication activity, privilege changes, and suspicious administrative actions.
- Enforce least-privilege IAM policies for SCIM clients and require MFA and network segmentation for access to Grafana.
- Implement SIEM rules and rate limiting to detect abnormal SCIM activity, unexpected API requests, or off-hours provisioning.
- Perform post-patch access reviews to ensure no unauthorized accounts, role changes, or impersonation events occurred.
Strengthening resilience against identity-driven vulnerabilities requires treating automated provisioning systems with the same scrutiny as privileged accounts.
By tightening access controls, improving monitoring, and validating configurations post-patch, organizations can reduce the blast radius of similar flaws.
Identity Systems Are Prime Targets
The Grafana vulnerability highlights how identity automation systems — while important for scaling access management — can inadvertently widen the attack surface when misconfigurations or logic flaws go unnoticed.
As organizations increasingly rely on SCIM, SSO, and automated user lifecycle tooling, these identity abstractions become deeply embedded in critical infrastructure and privileged pathways.
This incident reflects a broader shift — identity-driven vulnerabilities now represent some of the highest-impact risks, often enabling full compromise without a single traditional exploit.
This growing reliance on automated identity pathways makes zero-trust solutions essential for ensuring that no user or system is implicitly trusted at any stage.
