Grafana Service Account Token Mint Race: Revocation Delay
CVE-2026-33381 Published on May 13, 2026
Users can generate Service Account tokens after permissions removal
When a user's access to mint tokens for a service account is revoked, it is sometimes still possible to do so for a few seconds after the event. The user will eventually lose access to do this.
Weakness Type
What is an Authorization Vulnerability?
The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CVE-2026-33381 has been classified to as an Authorization vulnerability or weakness.
Products Associated with CVE-2026-33381
Want to know whenever a new CVE is published for Grafana Labs Grafana? stack.watch will email you.
Affected Versions
Grafana OSS:- Version 9.2.0, <= 11.6.14 is affected.
- Version 11.6.14 and below 11.6.14+security-04 is affected.
- Version 12.0.0, <= 12.2.8 is affected.
- Version 12.2.8 and below 12.2.8+security-04 is affected.
- Version 12.3.0, <= 12.3.6 is affected.
- Version 12.3.6 and below 12.3.6+security-04 is affected.
- Version 12.4.0, <= 12.4.3 is affected.
- Version 12.4.3 and below 12.4.3+security-02 is affected.
- Version 13.0.0, <= 13.0.1 is affected.
- Version 13.0.1 and below 13.0.1+security-01 is affected.