A critical vulnerability has been identified in Grafana Enterprise and Grafana Cloud that could allow a remote attacker to gain complete control over an affected instance. The flaw exists within the SCIM user provisioning feature and, if exploited, enables an attacker to impersonate any user, including administrators, leading to full privilege escalation. This vulnerability requires a specific, non-default configuration to be active and poses a severe risk of data compromise and system takeover.

The vulnerability is a privilege escalation flaw in the SCIM (System for Cross-domain Identity Management) provisioning feature of Grafana. When SCIM is enabled and configured for user synchronization (enableSCIM and user_sync_enabled are both set to true), the application improperly handles user identities. An attacker with control over a connected SCIM client can provision a new user with a numeric externalId. Grafana incorrectly maps this numeric externalId to an internal user ID, allowing the attacker to overwrite the account associated with that internal ID. By targeting the internal ID of a privileged user, such as an administrator, the attacker can effectively take over that account and gain full administrative access to the Grafana instance.

This vulnerability is rated as critical severity with a CVSS score of 10.0, reflecting the highest possible risk. Successful exploitation could lead to a complete compromise of the Grafana instance. An attacker with administrative access could steal sensitive data from configured data sources, manipulate or delete dashboards and alerts, alter user permissions, and potentially pivot to other systems within the network. The business impact includes severe data breaches, operational disruption, loss of data integrity, and significant reputational damage.

Immediate Action: Update affected instances of Grafana Enterprise and Grafana Cloud to the latest version to apply the necessary security patches. After updating, it is crucial to monitor for any signs of exploitation attempts and to thoroughly review system access logs for unauthorized activity that may have occurred prior to patching.

Proactive Monitoring: Administrators should monitor SCIM provisioning logs for any user creation or update events where the externalId is a simple numeric value. Review Grafana's audit logs for unusual or unexpected administrative actions, such as permission changes, user deletions, or API key creation. Monitor for login sessions from unfamiliar IP addresses, particularly for administrative accounts.

Compensating Controls: If immediate patching is not feasible, organizations can mitigate the risk by disabling the vulnerable feature. Set the user_sync_enabled configuration option in the [auth.scim] block to false. This action will prevent the vulnerability from being exploited but will also disrupt automated user lifecycle management via SCIM. This should be considered a temporary measure until the system can be fully patched.

Public Exploit Available: false

Given the critical CVSS score of 10.0, this vulnerability requires immediate attention. We strongly recommend that all organizations using Grafana Enterprise or Grafana Cloud with the SCIM feature enabled apply the vendor-supplied patches without delay. Before patching, administrators should verify if their configuration meets the specific conditions for exploitability (enableSCIM and user_sync_enabled set to true) to accurately assess their immediate risk exposure.