2413278 – (CVE-2025-41115) CVE-2025-41115 grafana: Incorrect Privilege Assignment

Bug 2413278 (CVE-2025-41115) - CVE-2025-41115 grafana: Incorrect Privilege Assignment

Summary: CVE-2025-41115 grafana: Incorrect Privilege Assignment

Keywords:
Status:	NEW
Alias:	CVE-2025-41115
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	urgent
Severity:	urgent
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-11-07 01:00 UTC by OSIDB Bzimport
Modified:	2025-12-16 04:40 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-11-07 01:00:37 UTC

A flaw was found in Grafana. In Grafana where SCIM provisioning is enabled and configured, a vulnerability in user identity handling allows a malicious or compromised SCIM client to provision a user with a numeric externalId.

Because Grafana maps the SCIM externalId directly to the internal user.uid, numeric values (e.g. "1") may be interpreted as internal numeric user IDs. In specific cases this could allow the newly provisioned user to be treated as an existing internal account, such as the built-in Admin, leading to potential impersonation or privilege escalation.

This issue affects only deployments with SCIM enabled and configured.

Note You need to log in before you can comment on or make changes to this bug.