Description
SCIM provisioning was introduced in Grafana Enterprise and Grafana Cloud in April to improve how organizations manage users and teams in Grafana by introducing automated user lifecycle management.

In Grafana versions 12.x where SCIM provisioning is enabled and configured, a vulnerability in user identity handling allows a malicious or compromised SCIM client to provision a user with a numeric externalId, which in turn could allow to override internal user IDs and lead to impersonation or privilege escalation.

This vulnerability applies only if all of the following conditions are met:
- `enableSCIM` feature flag set to true
- `user_sync_enabled` config option in the `[auth.scim]` block set to true
Published: 2025-11-21
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Impersonation and Privilege Escalation
Action: Patch Immediately
AI Analysis

Impact

SCIM provisioning was introduced in Grafana Enterprise to automate user lifecycle, but a flaw in user identity handling allows a compromised or malicious SCIM client to provision a user with a numeric externalId. This numeric identifier can override Grafana's internal user IDs, enabling the attacker to impersonate an existing user or elevate privileges. The weakness falls under CWE-266, Privilege‑separation out of bounds, and results in a high‑severity security impact.

Affected Systems

Grafana Enterprise versions 12.x with the SCIM feature enabled are affected. Enabling the "enableSCIM" feature flag and setting "user_sync_enabled" to true in the [auth.scim] block must be present for the vulnerability to be exploitable. The issue is specific to Grafana’s SCIM implementation and does not impact other Grafana components outside of the 12.x series when SCIM is inactive.

Risk and Exploitability

The CVSS score of 10 highlights the maximum severity, yet the EPSS score of less than 1% reflects a low likelihood of exploitation in the wild at present. The vulnerability is not currently listed in CISA’s KEV catalog. Exploitation would require a malicious or compromised SCIM client with appropriate permissions, making the attack vector internal to the SCIM integration. Even with a low probability, the potential for user impersonation or privileged access makes this a critical risk for organizations relying on SCIM provisioning.

Generated by OpenCVE AI on April 20, 2026 at 16:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to the latest Grafana Enterprise release that contains the SCIM identity handling fix
  • If immediate updating is not possible, disable SCIM integration by setting enableSCIM and user_sync_enabled to false until a patch is applied
  • Restrict externalId values to alphanumeric characters and enforce validation on SCIM clients to prevent numeric identifiers
  • Monitor audit logs for any provisioning actions that create users with numeric externalIds to detect attempts at privilege escalation

Generated by OpenCVE AI on April 20, 2026 at 16:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-w62r-7c53-fmc5 Grafana Incorrect Privilege Assignment vulnerability
History

Thu, 12 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
References

Thu, 08 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:grafana:grafana:*:*:*:*:enterprise:*:*:*

Tue, 16 Dec 2025 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Critical

Mon, 24 Nov 2025 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Grafana
Grafana grafana
Grafana grafana Enterprise
Vendors & Products Grafana
Grafana grafana
Grafana grafana Enterprise

Fri, 21 Nov 2025 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-266
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 21 Nov 2025 14:30:00 +0000

Type Values Removed Values Added
Description SCIM provisioning was introduced in Grafana Enterprise and Grafana Cloud in April to improve how organizations manage users and teams in Grafana by introducing automated user lifecycle management. In Grafana versions 12.x where SCIM provisioning is enabled and configured, a vulnerability in user identity handling allows a malicious or compromised SCIM client to provision a user with a numeric externalId, which in turn could allow to override internal user IDs and lead to impersonation or privilege escalation. This vulnerability applies only if all of the following conditions are met: - `enableSCIM` feature flag set to true - `user_sync_enabled` config option in the `[auth.scim]` block set to true
Title Incorrect privilege assignment
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Grafana Grafana Grafana Enterprise
cve-icon MITRE

Status: PUBLISHED

Assigner: GRAFANA

Published:

Updated: 2026-04-15T19:25:10.792Z

Reserved: 2025-04-16T09:19:26.442Z

Link: CVE-2025-41115

cve-icon Vulnrichment

Updated: 2025-11-21T14:48:03.159Z

cve-icon NVD

Status : Analyzed

Published: 2025-11-21T15:15:52.283

Modified: 2026-01-08T16:39:45.290

Link: CVE-2025-41115

cve-icon Redhat

Severity : Critical

Publid Date: 2025-11-25T00:00:00Z

Links: CVE-2025-41115 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T16:30:06Z

Weaknesses