Grafana has issued security updates to address a severe vulnerability, identified as CVE-2025-41115, with a CVSS score of 10.0. This flaw affects the System for Cross-domain Identity Management (SCIM) component, which is designed for automated user management. If exploited, it can lead to privilege escalation or user impersonation, particularly in Grafana versions 12.x where SCIM is enabled. The vulnerability stems from how Grafana handles user identities when a malicious SCIM client provisions a user with a numeric externalId. If both the enableSCIM feature flag and user_sync_enabled configuration are activated, it allows attackers to override internal user IDs. This could potentially result in granting unauthorized access to sensitive accounts, including administrative privileges. The affected versions range from Grafana Enterprise 12.0.0 to 12.2.1, with specific patches available in versions 12.0.6+security-01, 12.1.3+security-01, 12.2.1+security-01, and 12.3.0. This issue was uncovered during an internal audit on November 4, 2025. Given its severity, Grafana strongly recommends that users upgrade to the patched versions immediately to protect against possible exploitation.