In a bold move reminiscent of a software company giving away free viruses with every download, Grafana has generously offered its users an unadvertised feature: unrestricted user impersonation! With a CVSS score of 10.0, this is the software world’s version of a perfect score at a very terrifying Olympic sport.

The CVE-2025-41115 vulnerability is the result of Grafana’s SCIM feature, which was designed to simplify user management but instead turned out to be a dream come true for career hackers everywhere. It’s like handing over your house keys to a locksmith who moonlights as a burglar.

Grafana claims they were simply following what they thought was the latest trend—’open everything up’—misunderstanding it as a cybersecurity strategy rather than the philosophical musings of a startup’s marketing team trying to describe their floor plan.

In their defense, Grafana developers did acknowledge the issue and have patched it, hopefully before too many users decide to follow suit and accidentally start managing their identities across different time zones—or worse, planets.