Users can generate Service Account tokens after permissions removal
Medium
| Advisory ID: | CVE-2026-33381 |
| Published: | 2026-05-13 |
| Product: | Grafana |
| CVSS Score: | 5.9 |
| CVSS Vector: | CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N |
| Fixed Versions: | >=11.6.14+security-04 >=12.2.8+security-04 >=12.3.6+security-04 >=12.4.3+security-02 >=13.0.1+security-01 |
Summary
When a user’s access to mint tokens for a service account is revoked, it is sometimes still possible to do so for a few seconds after the event. The user will eventually lose access to do this.
This vulnerability was reported via our bug bounty program.