Grafana Labs has issued a warning regarding a maximum-severity security flaw, identified as CVE-2025-41115, affecting its Enterprise product. The vulnerability can allow attackers to impersonate administrators or escalate privileges if certain SCIM (System for Cross-domain Identity Management) settings are enabled.Β According to the company, the issue arises only when SCIM provisioning is activated and configured. Specifically, both the enableSCIM feature flag and the user_sync_enabled option must be set to true. Under these conditions, a malicious or compromised SCIM client could create a user with a numeric externalId that directly maps to an internal account, potentially even an administrative account.Β
In SCIM systems, the externalId attribute functions as a bookkeeping field used by identity providers to track user records. Grafana Labsβ implementation mapped this value directly to the platformβs internal user.uid. Because of this design, a numeric external ID such as β1β could be interpreted as an existing Grafana account. This behavior opens a door for impersonation or privilege escalation, enabling unauthorized users to assume the identity of legitimate internal accounts.Β Grafana Labs notes in its documentation that SCIM is intended to simplify automated provisioning and management of users and groups, particularly for organizations relying on SAML authentication. The feature, available in Grafana Enterprise and certain Grafana Cloud plans, remains in Public Preview. As a result, breaking changes may occur, and administrators are encouraged to test the feature thoroughly in non-production environments before deployment.Β
SAML Alignment Required to Prevent Authentication MismatchesΒ
A major security requirement highlighted by Grafana Labs involves the alignment between the SCIM externalId and the identifier used in SAML authentication. SCIM provisioning relies on a stable identity provider attribute, such as Entra IDβs user.objectid, which becomes the external ID in Grafana. SAML authentication must use the same unique identifier, delivered through a SAML claim, to ensure proper account linkage.Β If these identifiers do not match, Grafana may fail to associate authenticated SAML sessions with the intended SCIM-provisioned accounts. This mismatch can allow attackers to generate crafted SAML assertions that result in unauthorized access or impersonation. The company recommends using the assertion_attribute_external_uid setting to guarantee that Grafana reads the precise identity claim required to maintain secure user associations.Β To reduce risk, Grafana requires organizations to use the same identity provider for both user provisioning and authentication. Additionally, the SAML assertion exchange must include the correct userUID claim to ensure the system can link the session to the appropriate SCIM entry.Β
Configuration Requirements, Supported Workflows, and Automation CapabilitiesΒ
Administrators can set up SCIM in Grafana through the user interface, configuration files, or infrastructure-as-code tools such as Terraform. The UI option, available to Grafana Cloud users, applies changes without requiring a restart and allows more controlled access through restricted authentication settings.Β Grafanaβs SCIM configuration includes options for enabling user synchronization (user_sync_enabled), group synchronization (group_sync_enabled), and restricting access for accounts not provisioned through SCIM (reject_non_provisioned_users). Group sync cannot operate alongside Team Sync, though user sync can. Supported identity providers include Entra ID and Okta.Β SCIM provisioning streamlines user lifecycle tasks by automating account creation, updates, deactivation, and team management, reducing manual administrative work and improving security. Grafana notes that SCIM offers more comprehensive, near real-time automation than alternatives such as Team Sync, LDAP Sync, Role Sync, or Org Mapping.Β Grafana Labs is urging organizations to review their SCIM and SAML identifier mappings immediately, warning that inconsistencies may lead to unauthorized access scenarios tied to CVE-2025-41115.Β In parallel, cybersecurity intelligence leaders such as Cyble continue tracking identity-related risks and misconfigurations across global environments. Security teams looking to strengthen visibility, detect threats earlier, and reduce exposure can explore Cybleβs capabilities, book a free demo to see how Cybleβs AI-driven threat intelligence enhances defense across cloud, endpoints, and identity systems.Β
Login
