Grafana Databricks DS Plugin <1.12.0, Oauth passthrough ID mixup
CVE-2025-41116 Published on November 11, 2025
Incorrect oauth passthrough in Grafana Databricks Datasource
When using the Grafana Databricks Datasource Plugin,
if Oauth passthrough is enabled on the datasource, and multiple users are using the same datasource at the same time on a single Grafana instance, it could result in
the wrong user identifier being used, and information for which the viewer is not authorized being returned.
This issue affects Grafana Databricks Datasource Plugin: from 1.6.0 before 1.12.0
Weakness Type
What is a Separation of Privilege Vulnerability?
The product does not sufficiently compartmentalize functionality or processes that require different privilege levels, rights, or permissions. When a weakness occurs in functionality that is accessible by lower-privileged users, then without strong boundaries, an attack might extend the scope of the damage to higher-privileged users.
CVE-2025-41116 has been classified to as a Separation of Privilege vulnerability or weakness.
Products Associated with CVE-2025-41116
Want to know whenever a new CVE is published for Grafana Labs Grafana? stack.watch will email you.
Affected Versions
Grafana Labs Grafana Databricks Datasource Plugin:- Version 1.6.0 and below 1.12.1 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.