Home

Published

- 5 min read

Grafana Critical CVE-2025-41115 CVSS 10.0

By William OGOU
CVE-2025-41115 Grafana Enterprise CVSS 10.0 SCIM Privilege Escalation Identity Security Account Takeover
img of Grafana Critical CVE-2025-41115 CVSS 10.0

Grafana has issued a critical advisory for CVE-2025-41115, a maximum-severity vulnerability in Grafana Enterprise that fundamentally breaks the trust of identity management. This is not the SQL injection we initially feared—it is something far more elegant and terrifying: a Type Confusion and Identity Mapping flaw.

This vulnerability allows a malicious entity to manipulate the System for Cross-domain Identity Management (SCIM) integration to bypass authentication entirely and assume the identity of any user—including the Super Admin. The barrier to entry is low, the impact is total, and the fix must be applied now.

What to Remember

  • The Mechanism: It’s an Identity Mapping flaw. Grafana incorrectly maps the SCIM externalId (string) directly to the internal user.uid (integer).
  • The Exploit: An attacker simply sets their external ID to “1” to become the Admin (User ID 1). No password required.
  • New Affected Scope: The vulnerability impacts Grafana Enterprise versions 12.0.x through 12.2.x. Grafana OSS is not affected.
  • The Fix: You must upgrade to 12.3.0 or the specific backported patches (12.2.1+security-01, etc.) immediately.
  • Immediate Mitigation: If you cannot patch, you must disable SCIM user synchronization in your config.

Technical Deep Dive: The “ExternalId” Logic Bomb

The root cause of CVE-2025-41115 is a failure in how Grafana Enterprise reconciles user identities provided by external Identity Providers (IdPs) like Okta or Azure AD.

When SCIM is used, the IdP sends a user object with an attribute called externalId. This is typically a unique string string used by the provider. However, in vulnerable versions of Grafana (12.x), the backend logic attempts to cast this string directly into an integer and map it to Grafana’s internal user.uid field.

The Attack Chain:

  1. Configuration: The victim has enableSCIM = true and [auth.scim] user_sync_enabled = true.
  2. Payload: A compromised or malicious SCIM client sends a user provisioning request with the externalId set to the string "1".
  3. Type Confusion: Grafana interprets "1" not as an external label, but as the internal User ID 1.
  4. Account Takeover: In almost every Grafana instance, UID 1 is the Main Administrator. The system overwrites or links the attacker’s session to the Admin account.
  5. Result: The attacker is now the Super Admin, with full control over data sources, dashboards, and alerting channels.

Updated: Affected Versions

Based on the latest official advisory, the scope of vulnerable versions is specific to the 12.x branch of Grafana Enterprise.

You are VULNERABLE if you are running:

  • Grafana Enterprise 12.0.0 to 12.0.5
  • Grafana Enterprise 12.1.0 to 12.1.2
  • Grafana Enterprise 12.2.0 to 12.2.1 (prior to the security patch)

Conditions for Exploitation: The vulnerability is only exploitable if both of the following settings are enabled in your configuration:

  1. The feature toggle enableSCIM is set to true.
  2. The configuration option user_sync_enabled in the [auth.scim] block is set to true.

Updated: Remediation & Patches

Grafana Labs has released fixed versions. You must upgrade your instance to the version corresponding to your current minor release branch.

The Safe Versions (Patch Immediately):

  • Latest Release: Upgrade to Grafana Enterprise 12.3.0 (Recommended)
  • Patch for 12.2.x: Upgrade to 12.2.1+security-01
  • Patch for 12.1.x: Upgrade to 12.1.3+security-01
  • Patch for 12.0.x: Upgrade to 12.0.6+security-01

Emergency Workaround: If an upgrade is impossible today, you must break the exploit chain by disabling the vulnerable feature. Modify your grafana.ini or environment variables to set:

   [auth.scim]
user_sync_enabled = false

Note: This will stop legitimate user synchronization from your IdP, but it will prevent the account takeover attack.

Conclusion: Trust No Input, Not Even From Your IdP

CVE-2025-41115 is a masterclass in why input validation matters, even for trusted backend protocols like SCIM. By trusting a simple ID mapping, Grafana inadvertently created a “skeleton key” for its own front door. The shift from a theoretical SQL injection (as initially suspected by some researchers) to a confirmed logic/type confusion flaw highlights the complexity of modern identity handling.

This pattern of “trusted input becoming attack vector” echoes the recent React2Shell vulnerability (CVE-2025-55182), where serialized props—normally trusted data—enabled full RCE. Both vulnerabilities underscore the importance of understanding trust boundaries in your security architecture.

Do not wait. Check your version number now. If you see a “12” starting that string, and you use SCIM, you are in the danger zone.

To further enhance your cloud security, contact me on LinkedIn Profile or [email protected].

Frequently Asked Questions (FAQ)

What exactly causes CVE-2025-41115?

The vulnerability is caused by a logic error where Grafana Enterprise accepts a numeric string in the SCIM externalId field and treats it as an internal user ID (UID). This allows an attacker to claim the ID of an existing administrator, such as UID 1.

I am using Grafana Open Source (OSS) version 12.1. Am I affected?

No. CVE-2025-41115 specifically affects Grafana Enterprise. The SCIM synchronization feature code does not exist in the Open Source edition.

I have SCIM enabled but user_sync_enabled is false. Am I safe?

Yes. The official advisory states that both the enableSCIM feature flag AND user_sync_enabled must be true for the exploit to work. However, upgrading is still strongly recommended to prevent future misconfiguration risks.

Does this vulnerability allow Remote Code Execution (RCE)?

Directly, no. It is an Authentication Bypass and Privilege Escalation vulnerability. However, once an attacker gains Admin access, they can potentially manipulate data sources or plugins to achieve RCE or exfiltrate sensitive data, making the outcome equally catastrophic.

How can I verify my Grafana version?

You can check the version number in the footer of the login page, the Server Admin settings page, or by running the command grafana-server -v in your server terminal.

Resources

William OGOU

William OGOU

Need help implementing Zero Trust strategy or securing your cloud infrastructure? I help organizations build resilient, compliance-ready security architectures.

Connect on LinkedIn