{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33381", "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "state": "PUBLISHED", "assignerShortName": "GRAFANA", "dateReserved": "2026-03-19T07:55:06.978Z", "datePublished": "2026-05-13T19:28:31.559Z", "dateUpdated": "2026-06-22T16:31:11.099Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "shortName": "GRAFANA", "dateUpdated": "2026-06-22T16:31:11.099Z"}, "datePublic": "2026-05-13T07:44:00.000Z", "title": "Users can generate Service Account tokens after permissions removal", "descriptions": [{"lang": "en", "value": "When a user's access to mint tokens for a service account is revoked, it is sometimes still possible to do so for a few seconds after the event. The user will eventually lose access to do this."}], "affected": [{"vendor": "Grafana", "product": "Grafana OSS", "defaultStatus": "unaffected", "versions": [{"version": "9.2.0", "status": "affected", "versionType": "semver", "lessThanOrEqual": "11.6.14"}, {"version": "11.6.14", "status": "affected", "versionType": "custom", "lessThan": "11.6.14+security-04"}, {"version": "12.0.0", "status": "affected", "versionType": "semver", "lessThanOrEqual": "12.2.8"}, {"version": "12.2.8", "status": "affected", "versionType": "custom", "lessThan": "12.2.8+security-04"}, {"version": "12.3.0", "status": "affected", "versionType": "semver", "lessThanOrEqual": "12.3.6"}, {"version": "12.3.6", "status": "affected", "versionType": "custom", "lessThan": "12.3.6+security-04"}, {"version": "12.4.0", "status": "affected", "versionType": "semver", "lessThanOrEqual": "12.4.3"}, {"version": "12.4.3", "status": "affected", "versionType": "custom", "lessThan": "12.4.3+security-02"}, {"version": "13.0.0", "status": "affected", "versionType": "semver", "lessThanOrEqual": "13.0.1"}, {"version": "13.0.1", "status": "affected", "versionType": "custom", "lessThan": "13.0.1+security-01"}]}], "references": [{"url": "https://grafana.com/security/security-advisories/cve-2026-33381", "tags": ["vendor-advisory"]}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N"}}], "source": {"discovery": "BUG_BOUNTY"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-284", "lang": "en", "description": "CWE-284 Improper Access Control"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-05-15T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-33381"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-16T03:55:59.990Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33381", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-05-14T15:57:39.887026Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284 Improper Access Control"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-14T15:57:34.526Z"}}], "cna": {"title": "Users can generate Service Account tokens after permissions removal", "source": {"discovery": "BUG_BOUNTY"}, "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N"}}], "affected": [{"vendor": "Grafana", "product": "Grafana OSS", "versions": [{"status": "affected", "version": "9.2.0", "versionType": "semver", "lessThanOrEqual": "11.6.14"}, {"status": "affected", "version": "11.6.14", "lessThan": "11.6.14+security-04", "versionType": "custom"}, {"status": "affected", "version": "12.0.0", "versionType": "semver", "lessThanOrEqual": "12.2.8"}, {"status": "affected", "version": "12.2.8", "lessThan": "12.2.8+security-04", "versionType": "custom"}, {"status": "affected", "version": "12.3.0", "versionType": "semver", "lessThanOrEqual": "12.3.6"}, {"status": "affected", "version": "12.3.6", "lessThan": "12.3.6+security-04", "versionType": "custom"}, {"status": "affected", "version": "12.4.0", "versionType": "semver", "lessThanOrEqual": "12.4.3"}, {"status": "affected", "version": "12.4.3", "lessThan": "12.4.3+security-02", "versionType": "custom"}, {"status": "affected", "version": "13.0.0", "versionType": "semver", "lessThanOrEqual": "13.0.1"}, {"status": "affected", "version": "13.0.1", "lessThan": "13.0.1+security-01", "versionType": "custom"}], "defaultStatus": "unaffected"}], "datePublic": "2026-05-13T07:44:00.000Z", "references": [{"url": "https://grafana.com/security/security-advisories/cve-2026-33381", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "cvelib 1.8.0"}, "descriptions": [{"lang": "en", "value": "When a user's access to mint tokens for a service account is revoked, it is sometimes still possible to do so for a few seconds after the event. The user will eventually lose access to do this."}], "providerMetadata": {"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "shortName": "GRAFANA", "dateUpdated": "2026-06-22T16:31:11.099Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33381", "state": "PUBLISHED", "dateUpdated": "2026-06-22T16:31:11.099Z", "dateReserved": "2026-03-19T07:55:06.978Z", "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "datePublished": "2026-05-13T19:28:31.559Z", "assignerShortName": "GRAFANA"}, "dataVersion": "5.2"}

{"affected": [{"affectedData": [{"defaultStatus": "unaffected", "product": "Grafana OSS", "vendor": "Grafana", "versions": [{"lessThanOrEqual": "11.6.14", "status": "affected", "version": "9.2.0", "versionType": "semver"}, {"lessThan": "11.6.14+security-04", "status": "affected", "version": "11.6.14", "versionType": "custom"}, {"lessThanOrEqual": "12.2.8", "status": "affected", "version": "12.0.0", "versionType": "semver"}, {"lessThan": "12.2.8+security-04", "status": "affected", "version": "12.2.8", "versionType": "custom"}, {"lessThanOrEqual": "12.3.6", "status": "affected", "version": "12.3.0", "versionType": "semver"}, {"lessThan": "12.3.6+security-04", "status": "affected", "version": "12.3.6", "versionType": "custom"}, {"lessThanOrEqual": "12.4.3", "status": "affected", "version": "12.4.0", "versionType": "semver"}, {"lessThan": "12.4.3+security-02", "status": "affected", "version": "12.4.3", "versionType": "custom"}, {"lessThanOrEqual": "13.0.1", "status": "affected", "version": "13.0.0", "versionType": "semver"}, {"lessThan": "13.0.1+security-01", "status": "affected", "version": "13.0.1", "versionType": "custom"}]}], "source": "security@grafana.com"}], "configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*", "matchCriteriaId": "04916693-D14C-4B90-A469-51C2A2A66782", "versionEndExcluding": "11.6.14", "versionStartIncluding": "11.6.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*", "matchCriteriaId": "37747AB2-8B5F-4BD3-860E-0C092A9F78F0", "versionEndExcluding": "12.2.8", "versionStartIncluding": "12.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*", "matchCriteriaId": "870FE01F-86F1-4734-9CC3-6FC9AF3012C5", "versionEndExcluding": "12.3.6", "versionStartIncluding": "12.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*", "matchCriteriaId": "4451FBC6-6277-4DD8-B143-0DAE82175D9A", "versionEndExcluding": "12.4.3", "versionStartIncluding": "12.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*", "matchCriteriaId": "EE07D597-63A4-4EF4-B2E2-DCA40D943D61", "versionEndExcluding": "13.0.1", "versionStartIncluding": "13.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "When a user's access to mint tokens for a service account is revoked, it is sometimes still possible to do so for a few seconds after the event. The user will eventually lose access to do this."}], "id": "CVE-2026-33381", "lastModified": "2026-06-17T13:20:16.993", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 0.7, "impactScore": 5.2, "source": "security@grafana.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}], "ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2026-33381", "options": [{"exploitation": "none"}, {"automatable": "no"}, {"technicalImpact": "total"}], "role": "CISA Coordinator", "timestamp": "2026-05-15T00:00:00+00:00", "version": "2.0.3"}}]}, "published": "2026-05-13T20:16:20.803", "references": [{"source": "security@grafana.com", "tags": ["Vendor Advisory"], "url": "https://grafana.com/security/security-advisories/cve-2026-33381"}], "sourceIdentifier": "security@grafana.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "grafana: Grafana: Temporary access control bypass for service account token minting", "id": "2477239", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2477239"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.9", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N", "status": "draft"}, "cwe": "CWE-272", "details": ["A flaw was found in Grafana. When a user's access to mint tokens for a service account is revoked, the system may temporarily allow the user to continue minting tokens for a few seconds. This could lead to a temporary bypass of access control, potentially enabling unauthorized actions if the tokens are used before the revocation fully propagates."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-33381", "package_state": [{"cpe": "cpe:/a:redhat:multicluster_globalhub", "fix_state": "Fix deferred", "package_name": "multicluster-globalhub/multicluster-globalhub-grafana-rhel9", "product_name": "Multicluster Global Hub"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Fix deferred", "package_name": "rhacm2/acm-grafana-rhel9", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:5", "fix_state": "Fix deferred", "package_name": "rhceph/rhceph-5-dashboard-rhel8", "product_name": "Red Hat Ceph Storage 5"}, {"cpe": "cpe:/a:redhat:ceph_storage:6", "fix_state": "Fix deferred", "package_name": "rhceph/rhceph-6-dashboard-rhel9", "product_name": "Red Hat Ceph Storage 6"}, {"cpe": "cpe:/a:redhat:ceph_storage:8", "fix_state": "Fix deferred", "package_name": "rhceph/grafana-rhel9", "product_name": "Red Hat Ceph Storage 8"}, {"cpe": "cpe:/a:redhat:ceph_storage:9", "fix_state": "Fix deferred", "package_name": "rhceph/grafana-rhel10", "product_name": "Red Hat Ceph Storage 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-05-13T19:28:31Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-33381\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33381\nhttps://grafana.com/security/security-advisories/cve-2026-33381"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": ["onprem"], "status": "affected", "versions": {"scheme": "semver", "value": "[9.2.0,11.6.14]"}}, {"platform": ["onprem"], "status": "affected", "versions": {"scheme": "generic", "value": "[11.6.14,11.6.14+security-04)"}}, {"platform": ["onprem"], "status": "affected", "versions": {"scheme": "semver", "value": "[12.0.0,12.2.8]"}}, {"platform": ["onprem"], "status": "affected", "versions": {"scheme": "generic", "value": "[12.2.8,12.2.8+security-04)"}}, {"platform": ["onprem"], "status": "affected", "versions": {"scheme": "semver", "value": "[12.3.0,12.3.6]"}}, {"platform": ["onprem"], "status": "affected", "versions": {"scheme": "generic", "value": "[12.3.6,12.3.6+security-04)"}}, {"platform": ["onprem"], "status": "affected", "versions": {"scheme": "semver", "value": "[12.4.0,12.4.3]"}}, {"platform": ["onprem"], "status": "affected", "versions": {"scheme": "generic", "value": "[12.4.3,12.4.3+security-02)"}}, {"platform": ["onprem"], "status": "affected", "versions": {"scheme": "semver", "value": "[13.0.0,13.0.1]"}}, {"platform": ["onprem"], "status": "affected", "versions": {"scheme": "generic", "value": "[13.0.1,13.0.1+security-01)"}}], "enrichment": {"confidence": 88.0, "confidence_source": "matching", "scores": [{"score": 88.0, "source": "matching"}]}, "original": {"product": "Grafana OSS", "source": "cna", "vendor": "Grafana"}, "product": "grafana", "vendor": "grafana"}], "created": "2026-05-13T22:15:09.823383+00:00", "updated": "2026-05-25T13:30:26.271271+00:00", "vendors": ["grafana", "grafana$PRODUCT$grafana"]}