CVE-2025-41115
📋 TL;DR
A critical vulnerability in Grafana's SCIM provisioning allows malicious SCIM clients to provision users with numeric external IDs, potentially overriding internal user IDs. This could lead to impersonation or privilege escalation attacks. Only Grafana Enterprise and Grafana Cloud installations with specific SCIM configurations enabled are affected.
💻 Affected Systems
- Grafana Enterprise
- Grafana Cloud
📦 What is this software?
Grafana by Grafana
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through administrative privilege escalation, allowing attackers to impersonate any user including administrators, access sensitive data, and modify system configurations.
Likely Case
Privilege escalation to gain unauthorized access to dashboards, data sources, or administrative functions, potentially leading to data exfiltration or service disruption.
If Mitigated
Limited impact if SCIM provisioning is disabled or properly secured, with only authorized SCIM clients able to interact with the system.
🎯 Exploit Status
Exploitation requires access to a malicious or compromised SCIM client with provisioning permissions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Grafana security advisory for specific patched versions
Vendor Advisory: https://grafana.com/security/security-advisories/CVE-2025-41115
Restart Required: Yes
Instructions:
1. Review Grafana security advisory for patched version. 2. Backup configuration and data. 3. Upgrade to patched version. 4. Restart Grafana service. 5. Verify SCIM functionality.
🔧 Temporary Workarounds
Disable SCIM provisioning
allTemporarily disable SCIM provisioning until patching is possible
Set enableSCIM = false in Grafana configuration
Set user_sync_enabled = false in [auth.scim] section
🧯 If You Can't Patch
- Restrict SCIM client access to trusted IP addresses only
- Implement network segmentation to isolate Grafana SCIM endpoints from untrusted networks
🔍 How to Verify
Check if Vulnerable:
Check Grafana configuration for enableSCIM=true and [auth.scim] user_sync_enabled=trueCheck Version:
grafana-server -v or check Grafana web interface About pageVerify Fix Applied:
Verify Grafana version is updated to patched version and test SCIM provisioning with legitimate numeric external IDs📡 Detection & Monitoring
Log Indicators:
- Unusual SCIM provisioning requests
- User ID conflicts or overwrites
- Failed authentication attempts followed by successful SCIM provisioning
Network Indicators:
- SCIM API requests from unexpected sources
- Unusual patterns in SCIM provisioning traffic
SIEM Query:
source="grafana" AND ("SCIM" OR "provisioning") AND ("externalId" OR "user_id") AND status=success