Grafana has released a set of emergency security patches after discovering a critical vulnerability in its Enterprise editions. The flaw, tracked as CVE-2025-41115, carries the maximum CVSS score of 10.0 and affects environments where the SCIM feature is enabled and used for automated user provisioning.

What went wrong

The issue stems from how Grafana handled SCIM externalId values during provisioning. A malicious or compromised SCIM client could register a user with a numeric externalId (for example “1”), which Grafana then mapped directly to an internal user ID. In certain setups, this could cause the newly created user to be treated as an existing account—potentially even the admin account – resulting in impersonation or privilege escalation.

The flaw only affects Grafana Enterprise versions 12.0.0 through 12.2.1, and requires both of the following to be enabled:

  • enableSCIM = true
  • user_sync_enabled = true in the SCIM configuration block.

The fixes

Grafana has shipped patched versions for all affected releases, including 12.0.6, 12.1.3, 12.2.1, and the newly released 12.3.0. Cloud customers received fixes under embargo before public disclosure, and managed offerings from AWS and Azure were confirmed secure at announcement time. Grafana Enterprise security upd…

Why this matters for hosting companies

Hosting companies rely on Grafana for monitoring uptime, server health, customer resource usage, alerting, and reporting. This makes dashboards and identity management not just operational components, but core parts of the service layer.

A flaw like CVE-2025-41115 can have disproportionate impact on hosting providers:

  • Administrative Takeover: If an attacker gains admin-level access, they could manipulate monitoring data, hide malicious activity, or disable alerts.
  • Customer Data Exposure: Compromised dashboards could leak sensitive internal or customer-facing analytics.
  • Service Instability: Misconfigured or manipulated monitoring can cause delayed responses to outages or resource spikes.
  • Reputation Damage: A security breach involving monitoring platforms undermines trust—especially for hosting firms, where reliability is the product.

In short: when the tool that monitors infrastructure becomes compromised, it ripples outward to the entire hosting ecosystem.

The industry lesson

Grafana is widely used across the hosting and cloud-services sector. This incident reinforces a straightforward but critical rule: monitoring platforms deserve the same update discipline as core infrastructure. Even small-sounding features like SCIM user provisioning can create high impact risks if left unpatched.

Grafana OSS users are not affected, but any company running Grafana Enterprise with SCIM enabled should update immediately. The patches are available now for all vulnerable versions.