CVE-2025-41115
published 2025-11-21CVE-2025-41115: SCIM provisioning was introduced in Grafana Enterprise and Grafana Cloud in April to improve how organizations manage users and teams in Grafana by introducing…
PriorityP273critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
17.29%
96.7th percentile
SCIM provisioning was introduced in Grafana Enterprise and Grafana Cloud in April to improve how organizations manage users and teams in Grafana by introducing automated user lifecycle management.
In Grafana versions 12.x where SCIM provisioning is enabled and configured, a vulnerability in user identity handling allows a malicious or compromised SCIM client to provision a user with a numeric externalId, which in turn could allow to override internal user IDs and lead to impersonation or privilege escalation.
This vulnerability applies only if all of the following conditions are met:
- `enableSCIM` feature flag set to true
- `user_sync_enabled` config option in the `[auth.scim]` block set to true
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | grafana_grafana | >= 1.9.2-0.20250310110405-e6fdb746f235 < 1.9.2-0.20251106142618-ca5d89812015 | 1.9.2-0.20251106142618-ca5d89812015 |
| github.com | grafana_grafana | >= 1.9.2-0.20250310110405-e6fdb746f235 | — |
| github.com | grafana_grafana | >= 12.0.0 < 12.0.7 | 12.0.7 |
| github.com | grafana_grafana | >= 12.1.0 < 12.1.4 | 12.1.4 |
| github.com | grafana_grafana | >= 12.2.0 < 12.2.2 | 12.2.2 |
| grafana | grafana | >= 12.0.0 < 12.2.1 | 12.2.1 |
| grafana | grafana_enterprise | >= 12.0.0 < 12.2.1 | 12.2.1 |
Detection & IOCsextracted from sources · hover to see the quote
url/api/scim/v2/Users
otherapplication/scim+json
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Grafana SCIM User Provisioning Privilege Escalation (CVE-2025-41115)"; flow:established,to_server; http.uri; content:"/api/scim/v2/Users"; fast_pattern; http.content_type; content:"application/scim+json"; http.request_body; content:"|22|externalId|22 3a|"; pcre:"/^\s*?\x22\d+\x22/R"; reference:url,github.com/B1ack4sh/Blackash-CVE-2025-41115; reference:cve,2025-41115; classtype:web-application-attack; sid:2065927; rev:1; metadata:affected_product Grafana, attack_target Server, tls_state TLSDecrypt, created_at 2025_11_26, cve CVE_2025_41115, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_11_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
bytes
|22|externalId|22 3a| followed by pcre /^\s*?\x22\d+\x22/R (numeric externalId in request body)
- →Only Grafana Enterprise 12.0.0–12.2.1 instances with BOTH enableSCIM feature flag AND user_sync_enabled set to true are exploitable; triage alerts by confirming these config conditions before escalating. ↗
- →Monitor SCIM provisioning API traffic (POST/PUT to /api/scim/v2/Users) for externalId fields containing only digits; legitimate identity providers should supply non-numeric, globally unique externalId values. ↗
- →The Emerging Threats rule (sid:2065927) targets TLS-decrypted traffic; deploy in SSLDecrypt/TLSDecrypt environments to ensure coverage of HTTPS Grafana endpoints.
- ·Vulnerability is only exploitable when BOTH enableSCIM feature flag AND user_sync_enabled are set to true in [auth.scim]; instances with either option disabled are not affected. ↗
- ·Grafana OSS is not affected; only Grafana Enterprise 12.0.0–12.2.1 (self-managed) is vulnerable. Grafana Cloud, Amazon Managed Grafana, and Azure Managed Grafana have already been patched. ↗
- ·SCIM provisioning is in 'Public Preview' with limited support, so adoption may not be widespread — scope detection efforts accordingly. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_redhat10.0CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Grafana Incorrect Privilege Assignment vulnerability in github.com/grafana/grafana
osv·2025-11-25
CVE-2025-41115 Grafana Incorrect Privilege Assignment vulnerability in github.com/grafana/grafana
Grafana Incorrect Privilege Assignment vulnerability in github.com/grafana/grafana
Grafana Incorrect Privilege Assignment vulnerability in github.com/grafana/grafana.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: github.com/grafana/grafana before v1.9.2-0.20251106142618-ca5d89812015, from v12.0.0 before v12.0.7, from v12.1.0 before v12.1.4, from v12.2.0 before v12.2.2.
GHSA
Grafana Incorrect Privilege Assignment vulnerability
ghsa·2025-11-21
CVE-2025-41115 [CRITICAL] CWE-266 Grafana Incorrect Privilege Assignment vulnerability
Grafana Incorrect Privilege Assignment vulnerability
SCIM provisioning was introduced in Grafana Enterprise and Grafana Cloud in April to improve how organizations manage users and teams in Grafana by introducing automated user lifecycle management.
In Grafana versions 12.x where SCIM provisioning is enabled and configured, a vulnerability in user identity handling allows a malicious or compromised SCIM client to provision a user with a numeric externalId, which in turn could allow to override internal user IDs and lead to impersonation or privilege escalation.
This vulnerability applies only if all of the following conditions are met:
- `enableSCIM` feature flag set to true
- `user_sync_enabled` config option in the `[auth.scim]` block set to true
OSV
Grafana Incorrect Privilege Assignment vulnerability
osv·2025-11-21
CVE-2025-41115 [CRITICAL] Grafana Incorrect Privilege Assignment vulnerability
Grafana Incorrect Privilege Assignment vulnerability
SCIM provisioning was introduced in Grafana Enterprise and Grafana Cloud in April to improve how organizations manage users and teams in Grafana by introducing automated user lifecycle management.
In Grafana versions 12.x where SCIM provisioning is enabled and configured, a vulnerability in user identity handling allows a malicious or compromised SCIM client to provision a user with a numeric externalId, which in turn could allow to override internal user IDs and lead to impersonation or privilege escalation.
This vulnerability applies only if all of the following conditions are met:
- `enableSCIM` feature flag set to true
- `user_sync_enabled` config option in the `[auth.scim]` block set to true
Red Hat
grafana: Incorrect Privilege Assignment
vendor_redhat·2025-11-25·CVSS 10.0
CVE-2025-41115 [CRITICAL] CWE-266 grafana: Incorrect Privilege Assignment
grafana: Incorrect Privilege Assignment
SCIM provisioning was introduced in Grafana Enterprise and Grafana Cloud in April to improve how organizations manage users and teams in Grafana by introducing automated user lifecycle management.
In Grafana versions 12.x where SCIM provisioning is enabled and configured, a vulnerability in user identity handling allows a malicious or compromised SCIM client to provision a user with a numeric externalId, which in turn could allow to override internal user IDs and lead to impersonation or privilege escalation.
This vulnerability applies only if all of the following conditions are met:
- `enableSCIM` feature flag set to true
- `user_sync_enabled` config option in the `[auth.scim]` block set to true
A flaw was found in Grafana. In Grafana where SCIM p
Suricata
ET WEB_SPECIFIC_APPS Grafana SCIM User Provisioning Privilege Escalation (CVE-2025-41115)
suricata·2025-11-26·CVSS 10.0
CVE-2025-41115 [CRITICAL] ET WEB_SPECIFIC_APPS Grafana SCIM User Provisioning Privilege Escalation (CVE-2025-41115)
ET WEB_SPECIFIC_APPS Grafana SCIM User Provisioning Privilege Escalation (CVE-2025-41115)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Grafana SCIM User Provisioning Privilege Escalation (CVE-2025-41115)"; flow:established,to_server; http.uri; content:"/api/scim/v2/Users"; fast_pattern; http.content_type; content:"application/scim+json"; http.request_body; content:"|22|externalId|22 3a|"; pcre:"/^\s*?\x22\d+\x22/R"; reference:url,github.com/B1ack4sh/Blackash-CVE-2025-41115; reference:cve,2025-41115; classtype:web-application-attack; sid:2065927; rev:1; metadata:affected_product Grafana, attack_target Server, tls_state TLSDecrypt, created_at 2025_11_26, cve CVE_2025_41115, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_s
No public exploits indexed.
Wiz
Supply Chain Attacks & AI Vulnerabilities: December Cloud Security Update | Wiz
blogs_wiz·2025-12-01·CVSS 10.0
[CRITICAL] Supply Chain Attacks & AI Vulnerabilities: December Cloud Security Update | Wiz
Welcome back! This edition delivers the latest cloud security highlights: key breaches, unique data findings, and must-watch vulnerabilities. Let’s jump in.
🔍 Highlights
Shai-Hulud 2.0: Ongoing Supply Chain Campaign Referencing Shai-Hulud
A new npm supply-chain campaign referencing Shai-Hulud temporarily compromised packages from Zapier, ENS Domains, PostHog, Postman, and others. This wave leveraged temporarily compromised npm maintainer accounts to publish trojanized versions of legitimate packages from major ecosystems. Wiz observed over 25,000 repositories containing secrets across ~350 unique users.
The malicious packages execute code during the preinstall phase, enabling theft of developer and CI/CD secrets and automated propagation to new repositories. Exfiltration is conducted c
Bleepingcomputer
Grafana warns of max severity admin spoofing vulnerability
blogs_bleepingcomputer·2025-11-21·CVSS 10.0
CVE-2025-41115 [CRITICAL] Grafana warns of max severity admin spoofing vulnerability
## Grafana warns of max severity admin spoofing vulnerability
## Bill Toulas
Grafana Labs is warning of a maximum severity vulnerability (CVE-2025-41115) in its Enterprise product that can be exploited to treat new users as administrators or for privilege escalation.
The issue is only exploitable when SCIM (System for Cross-domain Identity Management) provisioning is enabled and configured.
Specifically, both 'enableSCIM' feature flag and 'user_sync_enabled' options must be set to true to allow a malicious or compromised SCIM client to provision a user with a numeric externalId that maps to an internal account, including administrators.
The externalId is a SCIM bookkeeping attribute used by the identity provider to track users.
Because Grafana mapped this value directly to its intern
2025-11-21
Published