Authentication bypass vulnerability, CVE-2025-41115 (CVSS 10.0), allows unauthenticated attackers to impersonate any Grafana user, including administrators.

Continue reading
Grafana has escalated a security alert to critical status, disclosing CVE-2025-41115, a maximum-severity authentication spoofing flaw. The vulnerability lies in the core identity-extraction logic of Grafana’s SAML and JWT authentication integrations.
Specifically, the flaw enables a remote, unauthenticated attacker to inject arbitrary identity headers, effectively allowing them to masquerade as any user in the system by forging the `X-Grafana-User` header.
This includes assuming the privileges of Grafana instance administrators, leading to a complete compromise of the Grafana environment and any integrated data sources.
Technical Mechanism: Header Manipulation and Trust Violation The exploit chain is deceptively simple, highlighting a critical failure in the enforcement of trust boundaries. When Grafana is configured to use SAML or JWT authentication, it relies on HTTP headers passed from a reverse proxy or identity provider to identify the user.
Intersection with SCIM Provisioning: An Amplification Vector This vulnerability directly undermines the security model of System for Cross-domain Identity Management (SCIM) provisioning. SCIM, used for automated user lifecycle management, relies on the integrity of admin-level authentication to create, modify, or deactivate users.
Mitigation and Immediate Action Required Grafana Labs has released patched versions for all affected branches: 11.3.9, 10.4.17, and 9.5.21. The remediation is non-negotiable.
CVE-2025-41115 is not a mere bug; it is a fundamental design flaw in Grafana's external authentication trust model. Its CVSS 10.0 score is warranted, as it provides a direct, low-complexity path for a network-based attacker to escalate from unauthenticated to complete administrative control.
The intersection with SCIM transforms a severe instance compromise into a potential identity governance disaster. Security teams must treat this as a top-priority remediation event, prioritizing patching above all other non-critical maintenance tasks.

148 malicious npm packages masquerading as student proxy and school Wi-Fi bypass tools. Rather than compromising developers during installation