Description
When a user's access to mint tokens for a service account is revoked, it is sometimes still possible to do so for a few seconds after the event. The user will eventually lose access to do this.
Published: 2026-05-13
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

When a user's permission to mint service‑account tokens is revoked in Grafana OSS, the revocation is not enforced instantaneously. For a brief period after the revocation, the user can still generate tokens that grant the previously held privileges. This can result in unauthorized access to resources that the user should no longer be able to reach. The vulnerability therefore enables a short‑lived privilege escalation.

Affected Systems

Grafana OSS. The CVE references the Grafana Open Source Edition, but specific vulnerable releases are not enumerated in the data provided.

Risk and Exploitability

The CVSS score of 5.9 indicates moderate severity. The EPSS score of <1% suggests a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Token creation is possible only a few seconds after permissions are removed, meaning an attacker must act quickly to exploit the window. The overall risk is moderate but constrained to a narrow time frame.

Generated by OpenCVE AI on May 25, 2026 at 13:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Configure Grafana to log token creation events and alert administrators when unexpected token creation occurs.
  • If an update is unavailable, explicitly revoke service‑account tokens for users who had permissions removed and monitor for any accidental token creation.
  • Review or restrict API access for privileged users and enable stricter role‑based permissions in Grafana.

Generated by OpenCVE AI on May 25, 2026 at 13:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 25 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-272
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 14 May 2026 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-285

Thu, 14 May 2026 16:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 14 May 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Grafana
Grafana grafana
Vendors & Products Grafana
Grafana grafana

Wed, 13 May 2026 22:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-285

Wed, 13 May 2026 20:00:00 +0000

Type Values Removed Values Added
Description When a user's access to mint tokens for a service account is revoked, it is sometimes still possible to do so for a few seconds after the event. The user will eventually lose access to do this.
Title Users can generate Service Account tokens after permissions removal
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Grafana Grafana
cve-icon MITRE

Status: PUBLISHED

Assigner: GRAFANA

Published:

Updated: 2026-05-16T03:55:59.990Z

Reserved: 2026-03-19T07:55:06.978Z

Link: CVE-2026-33381

cve-icon Vulnrichment

Updated: 2026-05-14T15:57:34.526Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-13T20:16:20.803

Modified: 2026-05-14T16:21:02.930

Link: CVE-2026-33381

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-13T19:28:31Z

Links: CVE-2026-33381 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-25T13:30:26Z

Weaknesses