CVE-2026-33381
published 2026-05-13CVE-2026-33381: When a user's access to mint tokens for a service account is revoked, it is sometimes still possible to do so for a few seconds after the event. The user will…
PriorityP350high8.1CVSS 3.1
AVNACLPRLUINSUCHIHAN
EPSS
0.24%
15.6th percentile
When a user's access to mint tokens for a service account is revoked, it is sometimes still possible to do so for a few seconds after the event. The user will eventually lose access to do this.
Affected
23 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | grafana_grafana | >= 0 < 1.9.2-0.20260513165311-fb7336fc36c1 | 1.9.2-0.20260513165311-fb7336fc36c1 |
| grafana | grafana | — | — |
| grafana | grafana | >= 11.6.0 < 11.6.14 | 11.6.14 |
| grafana | grafana | >= 12.2.0 < 12.2.8 | 12.2.8 |
| grafana | grafana | >= 12.3.0 < 12.3.6 | 12.3.6 |
| grafana | grafana | >= 12.4.0 < 12.4.3 | 12.4.3 |
| grafana | grafana | >= 13.0.0 < 13.0.1 | 13.0.1 |
| grafana | grafana_oss | >= 11.6.14 < 11.6.14+security-04 | 11.6.14+security-04 |
| grafana | grafana_oss | 12.0.0 – 12.2.8 | — |
| grafana | grafana_oss | >= 12.2.8 < 12.2.8+security-04 | 12.2.8+security-04 |
| grafana | grafana_oss | 12.3.0 – 12.3.6 | — |
| grafana | grafana_oss | >= 12.3.6 < 12.3.6+security-04 | 12.3.6+security-04 |
| grafana | grafana_oss | 12.4.0 – 12.4.3 | — |
| grafana | grafana_oss | >= 12.4.3 < 12.4.3+security-02 | 12.4.3+security-02 |
| grafana | grafana_oss | 13.0.0 – 13.0.1 | — |
| grafana | grafana_oss | >= 13.0.1 < 13.0.1+security-01 | 13.0.1+security-01 |
| grafana | grafana_oss | 9.2.0 – 11.6.14 | — |
| multicluster-globalhub | multicluster-globalhub-grafana-rhel9 | — | — |
| rhacm2 | acm-grafana-rhel9 | — | — |
| rhceph | grafana-rhel10 | — | — |
| rhceph | grafana-rhel9 | — | — |
| rhceph | rhceph-5-dashboard-rhel8 | — | — |
| rhceph | rhceph-6-dashboard-rhel9 | — | — |
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
vendor_redhat5.9MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Grafana OSS up to 13.0.1+security-00 privilege escalation (WID-SEC-2026-1546)
vuldb·2026-05-16·CVSS 5.9
CVE-2026-33381 [MEDIUM] Grafana OSS up to 13.0.1+security-00 privilege escalation (WID-SEC-2026-1546)
A vulnerability was found in Grafana OSS. It has been rated as problematic. This issue affects some unknown processing. Performing a manipulation results in privilege escalation.
This vulnerability is identified as CVE-2026-33381. The attack can be initiated remotely. There is not any exploit available.
Upgrading the affected component is advised.
GHSA
GHSA-wfhv-mj62-f5xh: When a user's access to mint tokens for a service account is revoked, it is sometimes still possible to do so for a few seconds after the event
ghsa_unreviewed·2026-05-13
CVE-2026-33381 [MEDIUM] CWE-284 GHSA-wfhv-mj62-f5xh: When a user's access to mint tokens for a service account is revoked, it is sometimes still possible to do so for a few seconds after the event
When a user's access to mint tokens for a service account is revoked, it is sometimes still possible to do so for a few seconds after the event. The user will eventually lose access to do this.
GHSA
Grafana: Users can generate Service Account tokens after permissions removal
ghsa·2026-05-13
CVE-2026-33381 [MEDIUM] CWE-284 Grafana: Users can generate Service Account tokens after permissions removal
Grafana: Users can generate Service Account tokens after permissions removal
When a user's access to mint tokens for a service account is revoked, it is sometimes still possible to do so for a few seconds after the event. The user will eventually lose access to do this.
Red Hat
grafana: Grafana: Temporary access control bypass for service account token minting
vendor_redhat·2026-05-13·CVSS 5.9
CVE-2026-33381 [MEDIUM] CWE-272 grafana: Grafana: Temporary access control bypass for service account token minting
grafana: Grafana: Temporary access control bypass for service account token minting
A flaw was found in Grafana. When a user's access to mint tokens for a service account is revoked, the system may temporarily allow the user to continue minting tokens for a few seconds. This could lead to a temporary bypass of access control, potentially enabling unauthorized actions if the tokens are used before the revocation fully propagates.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
Package: multicluster-globalhub/multicluster-globalhub-grafana-rhel9 (Multicluster Global Hub) - Fix deferred
Packag
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-33381 grafana: Grafana: Temporary access control bypass for service account token minting [fedora-all]
bugzilla·2026-05-25·CVSS 5.9
CVE-2026-33381 [MEDIUM] CVE-2026-33381 grafana: Grafana: Temporary access control bypass for service account token minting [fedora-all]
CVE-2026-33381 grafana: Grafana: Temporary access control bypass for service account token minting [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-33381 grafana: Grafana: Temporary access control bypass for service account token minting
bugzilla·2026-05-13·CVSS 5.9
CVE-2026-33381 [MEDIUM] CVE-2026-33381 grafana: Grafana: Temporary access control bypass for service account token minting
CVE-2026-33381 grafana: Grafana: Temporary access control bypass for service account token minting
When a user's access to mint tokens for a service account is revoked, it is sometimes still possible to do so for a few seconds after the event. The user will eventually lose access to do this.
2026-05-13
Published