Main Vulnerability Database SB2025112702

SB2025112702 - Incorrect privilege assignment in Grafana Enterprise

Published: November 27, 2025 Updated: December 4, 2025

Security Bulletin ID SB2025112702

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Incorrect privilege assignment (CVE-ID: CVE-2025-41115)

The vulnerability allows a remote user to escalate privileges within the application.

The vulnerability exists due to an error in identity handling. A malicious or compromised SCIM client can provision a user with a numeric externalId, which allows to override internal user IDs and lead to impersonation or privilege escalation.

Successful exploitation of the vulnerability requires that the enableSCIM feature flag set to true and the "user_sync_enabled" config option in the [auth.scim] block set to "true".

Remediation

Install update from vendor's website.

References

https://grafana.com/security/security-advisories/cve-2025-41115/