Incorrect privilege assignment
Description
SCIM provisioning was introduced in Grafana Enterprise and Grafana Cloud in April to improve how organizations manage users and teams in Grafana by introducing automated user lifecycle management.
In Grafana versions 12.x where SCIM provisioning is enabled and configured, a vulnerability in user identity handling allows a malicious or compromised SCIM client to provision a user with a numeric externalId, which in turn could allow to override internal user IDs and lead to impersonation or privilege escalation.
This vulnerability applies only if all of the following conditions are met: - enableSCIM feature flag set to true - user_sync_enabled config option in the [auth.scim] block set to true
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A vulnerability in Grafana 12.x SCIM provisioning allows a malicious SCIM client to override internal user IDs via a numeric externalId, leading to impersonation or privilege escalation.
Vulnerability
Overview
In Grafana versions 12.x where SCIM provisioning is enabled and configured, a vulnerability in user identity handling allows a malicious or compromised SCIM client to provision a user with a numeric externalId. This can override internal user IDs, potentially leading to impersonation or privilege escalation [1][2].
Exploitation
Conditions
The vulnerability is exploitable only when both the enableSCIM feature flag is set to true and the user_sync_enabled config option in the [auth.scim] block is set to true [2]. An attacker who controls or compromises a SCIM client can craft a provisioning request with a numeric externalId that matches an existing internal user ID, thereby overwriting the identity mapping.
Impact
Successful exploitation allows the attacker to impersonate another user or escalate privileges within the Grafana instance. This could lead to unauthorized access to dashboards, data sources, and administrative functions, depending on the privileges of the targeted user [2].
Mitigation
Grafana has released version 12.3.0, which addresses this vulnerability [1]. Users running Grafana 12.x with SCIM provisioning enabled should upgrade to 12.3.0 or later. If upgrading is not immediately possible, disabling the SCIM feature flag (enableSCIM) or setting user_sync_enabled to false can serve as a temporary workaround [2].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/grafana/grafanaGo | >= 12.0.0, < 12.0.7 | 12.0.7 |
github.com/grafana/grafanaGo | >= 12.1.0, < 12.1.4 | 12.1.4 |
github.com/grafana/grafanaGo | >= 12.2.0, < 12.2.2 | 12.2.2 |
github.com/grafana/grafanaGo | >= 1.9.2-0.20250310110405-e6fdb746f235, < 1.9.2-0.20251106142618-ca5d89812015 | 1.9.2-0.20251106142618-ca5d89812015 |
Affected products
3- Grafana/Grafana Enterprisev5Range: 12.0.0
Patches
1ca5d89812015SCIM: Upgrade the User.UID field to allow for the new scim- prefix (#113500)
1 file changed · +12 −0
pkg/services/sqlstore/migrations/user_mig.go+12 −0 modified@@ -181,6 +181,18 @@ func addUserMigrations(mg *Migrator) { mg.AddMigration("Add index on user.is_service_account and user.last_seen_at", NewAddIndexMigration(userV2, &Index{ Cols: []string{"is_service_account", "last_seen_at"}, Type: IndexType, })) + + // Expand uid column to safely accommodate 'scim-' prefix without truncation/collisions + mg.AddMigration("Expand user.uid length to 190", NewRawSQLMigration(""). + SQLite("SELECT 1;"). + Postgres("ALTER TABLE `user` ALTER COLUMN uid TYPE VARCHAR(190);"). + Mysql("ALTER TABLE user MODIFY uid VARCHAR(190);")) + + // Prefix SCIM UID for provisioned users to avoid numeric/existing-id collisions + mg.AddMigration("Prefix SCIM uid for provisioned users", NewRawSQLMigration(""). + SQLite("UPDATE user SET uid = 'scim-' || uid WHERE is_provisioned = 1 AND uid NOT LIKE 'scim-%';"). + Postgres("UPDATE `user` SET uid = 'scim-' || uid WHERE is_provisioned = TRUE AND uid NOT LIKE 'scim-%';"). + Mysql("UPDATE user SET uid = CONCAT('scim-', uid) WHERE is_provisioned = 1 AND uid NOT LIKE 'scim-%';")) } const migSQLITEisServiceAccountNullable = `ALTER TABLE user ADD COLUMN tmp_service_account BOOLEAN DEFAULT 0;
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- github.com/advisories/GHSA-w62r-7c53-fmc5ghsaADVISORY
- grafana.com/security/security-advisories/cve-2025-41115mitrevendor-advisory
- nvd.nist.gov/vuln/detail/CVE-2025-41115ghsaADVISORY
- github.com/grafana/grafana/commit/ca5d89812015ef2db3acc62826f73650450b331eghsaWEB
- github.com/grafana/grafana/releases/tag/v12.0.7ghsaWEB
- github.com/grafana/grafana/releases/tag/v12.1.4ghsaWEB
- github.com/grafana/grafana/releases/tag/v12.2.2ghsaWEB
- github.com/grafana/grafana/releases/tag/v12.3.0ghsaWEB
- grafana.com/security/security-advisories/CVE-2025-41115ghsaWEB
News mentions
0No linked articles in our index yet.