CVE-2026-33381

Vulnerability

A race condition exists in Grafana's permission caching mechanism that affects token minting for service accounts. When an administrator revokes a user's access to generate tokens for a service account, the permission change may not propagate immediately to the caching layer, leaving a short window where the user's cached permissions still grant token generation access. This affects Grafana versions prior to the fix released alongside this advisory [1].

Exploitation

The attacker must have been a previously authorized user with the ability to mint tokens for a specific service account. The exploitation requires that after the administrator revokes this permission, the attacker attempts to generate a token within a few seconds of the revocation event. No additional authentication bypass or network position is required beyond the user's existing session, as the exploit relies on the stale cache [1].

Impact

If successfully exploited, the attacker can generate a valid service account token after their explicit permission to do so has been removed. This token could then be used to access Grafana resources per the service account's configured scopes, potentially leading to unauthorized access to dashboards, data sources, or other integrated services. The impact is limited to token minting and does not provide direct code execution or privilege escalation beyond the service account's pre-existing permissions [1].

Mitigation

Grafana has addressed this vulnerability by improving the permission cache invalidation mechanism. Users should upgrade to the patched version as indicated in the Grafana Labs security advisory [1]. No workaround is available; administrators should apply the update promptly. The flaw has a CVSS v3 base score of 5.9 (Medium) and is not currently listed on the CISA KEV catalog as of the publication date.