Users can generate Service Account tokens after permissions removal

5.9 / 10

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N

Description

When a user's access to mint tokens for a service account is revoked, it is sometimes still possible to do so for a few seconds after the event. The user will eventually lose access to do this.

Basic Information

ID CVE-2026-33381

Source GRAFANA

Published May 13, 2026 at 19:28

Modified May 13, 2026 at 19:35

Affected Product

Vendor Grafana

Product Grafana OSS

Version 9.2.0

Affected Versions Grafana Grafana OSS 9.2.0
Grafana Grafana OSS 11.6.14
Grafana Grafana OSS 12.0.0
Grafana Grafana OSS 12.2.8
Grafana Grafana OSS 12.3.0
Grafana Grafana OSS 12.3.6
Grafana Grafana OSS 12.4.0
Grafana Grafana OSS 12.4.3
Grafana Grafana OSS 13.0.0
Grafana Grafana OSS 13.0.1

References

grafana.com /security/security-advisories/cve-2026-33381

{
    "lastseen": "",
    "description": "When a user's access to mint tokens for a service account is revoked, it is sometimes still possible to do so for a few seconds after the event. The user will eventually lose access to do this.",
    "published": "2026-05-13T19:28:31.559Z",
    "modified": "2026-05-13T19:35:08.982Z",
    "type": "cve",
    "title": "Users can generate Service Account tokens after permissions removal",
    "source": "GRAFANA",
    "references": "https://grafana.com/security/security-advisories/cve-2026-33381",
    "id": "CVE-2026-33381",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Grafana Grafana OSS 9.2.0\nGrafana Grafana OSS 11.6.14\nGrafana Grafana OSS 12.0.0\nGrafana Grafana OSS 12.2.8\nGrafana Grafana OSS 12.3.0\nGrafana Grafana OSS 12.3.6\nGrafana Grafana OSS 12.4.0\nGrafana Grafana OSS 12.4.3\nGrafana Grafana OSS 13.0.0\nGrafana Grafana OSS 13.0.1",
    "sourceHref": "",
    "cvss": {
        "score": 5.9,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Grafana OSS",
    "version": "9.2.0",
    "vendor": "Grafana",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Users can generate Service Account tokens after permissions removal_CVE-2026-33381

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply