cbcvebase.
CVE-2026-33381
published 2026-05-13

CVE-2026-33381: When a user's access to mint tokens for a service account is revoked, it is sometimes still possible to do so for a few seconds after the event. The user will…

PriorityP350high8.1CVSS 3.1
AVNACLPRLUINSUCHIHAN
EPSS
0.24%
15.6th percentile
When a user's access to mint tokens for a service account is revoked, it is sometimes still possible to do so for a few seconds after the event. The user will eventually lose access to do this.

Affected

23 ranges
VendorProductVersion rangeFixed in
github.comgrafana_grafana>= 0 < 1.9.2-0.20260513165311-fb7336fc36c11.9.2-0.20260513165311-fb7336fc36c1
grafanagrafana
grafanagrafana>= 11.6.0 < 11.6.1411.6.14
grafanagrafana>= 12.2.0 < 12.2.812.2.8
grafanagrafana>= 12.3.0 < 12.3.612.3.6
grafanagrafana>= 12.4.0 < 12.4.312.4.3
grafanagrafana>= 13.0.0 < 13.0.113.0.1
grafanagrafana_oss>= 11.6.14 < 11.6.14+security-0411.6.14+security-04
grafanagrafana_oss12.0.0 – 12.2.8
grafanagrafana_oss>= 12.2.8 < 12.2.8+security-0412.2.8+security-04
grafanagrafana_oss12.3.0 – 12.3.6
grafanagrafana_oss>= 12.3.6 < 12.3.6+security-0412.3.6+security-04
grafanagrafana_oss12.4.0 – 12.4.3
grafanagrafana_oss>= 12.4.3 < 12.4.3+security-0212.4.3+security-02
grafanagrafana_oss13.0.0 – 13.0.1
grafanagrafana_oss>= 13.0.1 < 13.0.1+security-0113.0.1+security-01
grafanagrafana_oss9.2.0 – 11.6.14
multicluster-globalhubmulticluster-globalhub-grafana-rhel9
rhacm2acm-grafana-rhel9
rhcephgrafana-rhel10
rhcephgrafana-rhel9
rhcephrhceph-5-dashboard-rhel8
rhcephrhceph-6-dashboard-rhel9

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
vendor_redhat5.9MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.