November 21, 2025 By Bill Toulas
Grafana Labs is warning of a maximum severity vulnerability (CVE-2025-41115) in its Enterprise product that can be exploited to treat new users as administrators or for privilege escalation.
The issue is only exploitable when SCIM (System for Cross-domain Identity Management) provisioning is enabled and configured.
Specifically, both 'enableSCIM' feature flag and 'user_sync_enabled' options must be set to true to allow a malicious or compromised SCIM client to provision a user with a numeric externalId that maps to an internal account, including administrators.
The externalId is a SCIM bookkeeping attribute used by the identity provider to track users.
Because Grafana mapped this value directly to its internal user.uid, a numeric externalId such as \ "1\" could be interpreted as an existing internal account, enabling impersonation or privilege escalation.
