Grafana Enterprise max-severity SCIM privilege-escalation flaw (CVE-2025-41115)
Vulnerability
Summary
Hide ▲
Show ▼
A max-severity flaw in Grafana Enterprise lets a malicious or compromised SCIM client turn new users into administrators or map them to existing internal accounts, creating immediate privilege-escalation risk. The issue is tracked as CVE-2025-41115 and affects versions 12.0.0 through 12.2.1 when enableSCIM and user_sync_enabled are both enabled. Grafana Cloud services were already patched, and Grafana OSS is not impacted. Self-managed operators are advised to upgrade to a patched release or disable SCIM to close the attack path.
Related Happenings
Grafana Labs Says GitHub hit by cyberattack
Incident
First: 17.05.2026 10:13
Last: 17.05.2026 10:13
Sources 1
About this happening:
A **Grafana Labs** incident was later tied to the **Mini Shai-Hulud** supply-chain campaign against **TanStack npm packages**. Grafana said an unauthorized party used a token to a...
Grafana Labs Says GitHub hit by cyberattack
IncidentAbout this happening: A **Grafana Labs** incident was later tied to the **Mini Shai-Hulud** supply-chain campaign against **TanStack npm packages**. Grafana said an unauthorized party used a token to a...
Grafana indirect prompt injection GrafanaGhost security flaw
Vulnerability
First: 07.04.2026 22:52
Last: 07.04.2026 22:52
Sources 1
About this happening:
**Grafana**'s **AI components** had an **indirect prompt injection** flaw, **GrafanaGhost**, that could let attackers **exfiltrate sensitive data** from user-visible content and s...
Grafana indirect prompt injection GrafanaGhost security flaw
VulnerabilityAbout this happening: **Grafana**'s **AI components** had an **indirect prompt injection** flaw, **GrafanaGhost**, that could let attackers **exfiltrate sensitive data** from user-visible content and s...
BeyondTrust Remote Support and Privileged Remote Access CVE-2026-1731 active exploitation wave
Exploitation Wave
First: 12.02.2026 23:34
Last: 12.02.2026 23:34
Sources 1
About this happening:
**CVE-2026-1731** in **BeyondTrust Remote Support** and **Privileged Remote Access** is now seeing **first in-the-wild exploitation**, putting exposed appliances at risk of remote...
BeyondTrust Remote Support and Privileged Remote Access CVE-2026-1731 active exploitation wave
Exploitation WaveAbout this happening: **CVE-2026-1731** in **BeyondTrust Remote Support** and **Privileged Remote Access** is now seeing **first in-the-wild exploitation**, putting exposed appliances at risk of remote...
Timeline
-
21.11.2025 19:58 1 articles · 6mo ago
Grafana Enterprise flaw found during internal auditing
Technical Analysis UpdateGrafana Labs discovered CVE-2025-41115 during internal auditing of Grafana Enterprise on November 4, identifying a SCIM provisioning flaw that could let a malicious or compromised SCIM client make new users appear as administrators or gain privilege escalation when enableSCIM and user_sync_enabled are both true.
Show sources
- Grafana warns of max severity admin spoofing vulnerability — www.bleepingcomputer.com — 21.11.2025 19:58
-
21.11.2025 19:58 2 articles · 6mo ago
Grafana Labs publicly releases CVE-2025-41115 bulletin
Initial DisclosureGrafana Labs publicly released the security update and accompanying bulletin for CVE-2025-41115 on November 19, with patched Grafana Enterprise versions 12.3.0, 12.2.1, 12.1.3, and 12.0.6 available and guidance to upgrade or disable SCIM to reduce exploitation risk.
Show sources
- Grafana warns of max severity admin spoofing vulnerability — www.bleepingcomputer.com — 21.11.2025 19:58
- Grafana warns of max severity admin spoofing vulnerability — www.bleepingcomputer.com — 21.11.2025 19:58