Grafana CVSS 10 SCIM flaw

Grafana CVSS 10.0 SCIM flaw

Grafana fixed a CVSS 10.0 vulnerability in SCIM (Enterprise editions) that could let attackers sign in as admin. The bug was discovered internally on 4 Nov 2025; patches followed quickly. Grafana Cloud wasn’t affected. Admins should upgrade to the fixed versions immediately and review access logs for suspicious logins. This one’s a straight, high-severity identity bypass — the sort you don’t leave for the weekend.

Grafana has patched a CVSS 10.0 issue in its SCIM implementation that could allow an attacker to authenticate as an administrator. The company found it during an internal audit on 4 November, pushed fixes, and confirmed Grafana Cloud wasn’t impacted. If you run Enterprise 12.0.0–12.2.1, this is your sign to patch now.

In plain English: a provisioning feature designed to make identity life easier accidentally made account takeover a little too easy. With admin access, an attacker can change data sources, dashboards, and, crucially, tokens/credentials stored in Grafana that may unlock other systems.

What to do:
• Upgrade immediately to the fixed releases (or 12.3+).
• Review audit logs for odd admin sign-ins and token changes.
• If SCIM is exposed, pull it behind VPN/Zero-Trust access.
• Rotate any credentials that live in Grafana just to be safe.
A rare 10/10 is not something to admire — it’s something to remove. Treat it like a fire drill and close the loop today