Critical Patch Alert: Grafana Slaps a 10.0 CVSS Flaw in SCIM Provisioning. Fix It Now or Risk a Very Bad Day#

Grafana is a lifesaver when it comes to turning noisy telemetry into something humans can actually use. But this week, it delivered a not-so-fun surprise: a critical vulnerability in Grafana Enterprise that earned a flawless CVSS 10.0 score. Yes, the big shiny maximum score. The one you never want to see associated with your production dashboards.

If you rely on Grafana for enterprise monitoring or identity-integrated access, this is one to drop everything for.

The Flaw: What Just Happened?#

Say hello to CVE-2025-41115, a nasty bug buried inside Grafana’s SCIM (System for Cross-domain Identity Management) feature. SCIM is great for automated user provisioning until a misbehaving client can use it to sneak in as someone far more important than it should be.

In Grafana Enterprise 12.0.0 through 12.2.1, if SCIM is enabled, a malicious or compromised SCIM client can supply a numeric externalId like "1", and Grafana will happily map that to an internal user ID.

And guess who usually sits at user ID 1?
Yep. Admin.

As Grafana’s Vardan Torosyan explained: when the SCIM externalId maps straight to the internal user.uid, a numeric value can collide with a real internal account. That collision can let a rogue provisioned user effectively impersonate a privileged internal identity. That is not “oops”… that is “yikes”.

This was caught in an internal audit on November 4, 2025, and Grafana pushed patches quickly.

Why You Should Care#

A CVSS 10.0 is not marketing drama. It is the scoreboard telling you to move. Immediately.

Identity is the new battleground, and automated provisioning is a double-edged sword. One compromised SCIM client, one careless config, and you are staring at unauthorized admin access. Imagine someone quietly siphoning dashboards, changing alert rules, or pivoting into downstream data sources.

A few bigger themes here:

  • Identity systems demand paranoia. Automation does not replace validation.
  • Preview features in enterprise tools should be treated like open flames. Cool, powerful, and capable of burning your entire weekend.
  • Attack surfaces are growing fast as tools like Grafana integrate deeper with identity providers.

If you are syncing users from Azure AD, Okta, or any other IdP via SCIM, treat this like a fire drill.

The Fix: Patch, Audit, and Verify#

Grafana released patched versions:

  • 12.0.6 security-01
  • 12.1.3 security-01
  • 12.2.1 security-01
  • 12.3.0 (general release)

Do this now:#

  1. Upgrade immediately.
  2. Lock down SCIM clients and ensure only trusted sources can provision identities.
  3. Check your logs for suspicious user creation activity since April 2025.
  4. Test in staging and verify your identity flow is still healthy.

Full details are in Grafana’s security advisory. But if you think you are exposed, act now and read later.

Final Thoughts#

Bugs like CVE-2025-41115 are a harsh reminder that even powerhouse platforms require constant scrutiny. In my experience, strong patch discipline and tight identity controls prevent more incidents than any shiny add-on security tool.

Stay safe and patch fast.

Source: The Hacker News, November 19, 2025