Lucene search
K

Grafana Enterprise SCIM Provisioning Privilege Escalation (CVE-2025-41115)

🗓️ 25 Nov 2025 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 6 Views

Grafana Enterprise SCIM allows numeric externalId to override user IDs, enabling impersonation when provisioning is enabled.

Related
Refs
Code
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(276746);
  script_version("1.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/03/03");

  script_cve_id("CVE-2025-41115");
  script_xref(name:"IAVB", value:"2025-B-0198-S");

  script_name(english:"Grafana Enterprise SCIM Provisioning Privilege Escalation (CVE-2025-41115)");

  script_set_attribute(attribute:"synopsis", value:
"The remote host is missing a security update.");
  script_set_attribute(attribute:"description", value:
"SCIM provisioning was introduced in Grafana Enterprise and Grafana Cloud in April to improve how organizations manage
users and teams in Grafana by introducing automated user lifecycle management. In Grafana versions 12.x where SCIM
provisioning is enabled and configured, a vulnerability in user identity handling allows a malicious or compromised
SCIM client to provision a user with a numeric externalId, which in turn could allow to override internal user IDs
and lead to impersonation or privilege escalation. This vulnerability applies only if all of the following conditions
are met: - `enableSCIM` feature flag set to true - `user_sync_enabled` config option in the `[auth.scim]` block set to
true.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://grafana.com/blog/2025/11/19/grafana-enterprise-security-update-critical-severity-security-fix-for-cve-2025-41115/
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?8fc588a4");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Grafana Enterprise version 12.0.6, 12.1.3, 12.2.1, 12.3.0 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-41115");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2025/11/19");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/11/19");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/11/25");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:grafana:grafana");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Web Servers");

  script_copyright(english:"This script is Copyright (C) 2025-2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("grafana_labs_detect.nbin");
  script_require_keys("installed_sw/Grafana Labs", "Settings/ParanoidReport");
  script_require_ports("Services/www", 3000);

  exit(0);
}

include('vcf.inc');
include('http.inc');

var port = get_http_port(default:3000);

var app_info = vcf::get_app_info(app:'Grafana Labs', port:port, webapp:TRUE);

# Can't determine if SCIM or user_sync_enabled is enabled/configured
if (report_paranoia < 2) audit(AUDIT_PARANOID);

# Only Grafana Enterprise is affected
if (empty_or_null(app_info['Edition']) || app_info['Edition'] !~ "Enterprise")
  vcf::audit(app_info);

var constraints = [
  { 'min_version' : '12.0.0', 'fixed_version' : '12.0.6' },
  { 'min_version' : '12.1.0', 'fixed_version' : '12.1.3' },
  { 'min_version' : '12.2.0', 'fixed_version' : '12.2.1' }
];

vcf::check_version_and_report(
    app_info:app_info,
    constraints:constraints,
    severity:SECURITY_HOLE
);

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

03 Mar 2026 00:00Current
6.1Medium risk
Vulners AI Score6.1
CVSS 3.19.8 - 10
EPSS0.17293
SSVC
6