Grafana has released security updates to address a maximum severity security flaw that could allow privilege escalation or user impersonation under certain configurations.

The vulnerability, tracked as CVE-2025-41115 , carries a CVSS score of 10.0. It resides in the System for Cross-domain Identity Management ( SCIM ) component that allows automated user provisioning and management. First introduced in April 2025, it's currently in public preview.

"In Grafana versions 12.x where SCIM provisioning is enabled and configured, a vulnerability in user identity handling allows a malicious or compromised SCIM client to provision a user with a numeric externalId, which in turn could allow for overriding internal user IDs and lead to impersonation or privilege escalation," Grafana's Vardan

See Full Page