Grafana Labs is warning of a most severity vulnerability (CVE-2025-41115) in its Enterprise product that may be exploited to deal with new customers as directors or for privilege escalation.
The problem is just exploitable when SCIM (System for Cross-domain Id Administration) provisioning is enabled and configured.
Particularly, each ‘enableSCIM’ characteristic flag and ‘user_sync_enabled’ choices should be set to true to permit a malicious or compromised SCIM shopper to provision a person with a numeric externalId that maps to an inside account, together with directors.
The externalId is a SCIM bookkeeping attribute utilized by the id supplier to trace customers.
As a result of Grafana mapped this worth on to its inside person.uid, a numeric externalId comparable to “1” may very well be interpreted as an current inside account, enabling impersonation or privilege escalation.
In keeping with Grafana’s documentation, SCIM provisioning is presently in ‘Public Preview’ and there’s restricted assist out there. Due to this, adoption of the characteristic is probably not widespread.
Grafana is a knowledge visualization and monitoring platform utilized by a broad spectrum of organizations, from startups to Fortune 500 firms, for turning metrics, logs, and different operational knowledge into dashboards, alerts, and analytics.
“In particular instances this might permit the newly provisioned person to be handled as an current inside account, such because the Admin, resulting in potential impersonation or privilege escalation” – Grafana Labs
CVE-2025-41115 impacts Grafana Enterprise variations between 12.0.0 and 12.2.1 (when SCIM is enabled).
Grafana OSS customers aren’t impacted, whereas Grafana Cloud providers, together with Amazon Managed Grafana and Azure Managed Grafana, have already obtained the patches.
Directors of self-managed installations can handle the chance by making use of one of many following updates:
- Grafana Enterprise model 12.3.0
- Grafana Enterprise model 12.2.1
- Grafana Enterprise model 12.1.3
- Grafana Enterprise model 12.0.6
“In case your occasion is susceptible, we strongly advocate upgrading to one of many patched variations as quickly as attainable,” warns Grafana Labs.
The flaw was found throughout inside auditing on November 4, and a security replace was launched roughly 24 hours later.
Throughout that point, Grafana Labs investigated and decided that the flaw had not been exploited in Grafana Cloud.
The general public launch of the security replace and the accompanying bulletin adopted on November 19.
Grafana customers are advisable to use out there patches as quickly as attainable or change the configuration (disable SCIM) to shut potential exploitation alternatives.
Final month, GreyNoise reported unusually elevated scanning exercise concentrating on an previous path traversal flaw in Grafana, which, because the researchers have famous beforehand, may very well be used for mapping uncovered cases in preparation for the disclosure of a brand new flaw.
It is funds season! Over 300 CISOs and security leaders have shared how they’re planning, spending, and prioritizing for the yr forward. This report compiles their insights, permitting readers to benchmark methods, determine rising tendencies, and evaluate their priorities as they head into 2026.
Learn the way prime leaders are turning funding into measurable impression.
