CVE-2026-33381 Overview
CVE-2026-33381 is a race condition vulnerability in Grafana that affects the revocation of service account token minting permissions. When an administrator revokes a user's access to mint tokens for a service account, the user retains the ability to perform this action for a brief window after the revocation event. The access is eventually removed, but the delay creates an exploitable window for privileged users.
The issue is documented in the Grafana Security Advisory. The vulnerability requires high privileges and high attack complexity, limiting the population of attackers who can exploit it.
Critical Impact
A user whose token-minting access was revoked can still mint service account tokens during a short post-revocation window, enabling continued access to resources tied to the service account.
Affected Products
- Grafana (refer to vendor advisory for affected version ranges)
- Deployments using service account token minting workflows
- Multi-tenant Grafana environments with privileged user role changes
Discovery Timeline
- 2026-05-13 - CVE-2026-33381 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-33381
Vulnerability Analysis
The vulnerability is a Time-of-Check Time-of-Use (TOCTOU) race condition affecting service account token minting in Grafana. Service accounts in Grafana represent non-human identities used to authenticate API calls and automation workflows. Minting a token for a service account produces credentials that act on behalf of that identity.
When an administrator revokes a user's permission to mint tokens, the authorization state change does not propagate immediately to every code path that evaluates the permission. During the propagation delay, the user can still issue valid token minting requests. The window is measured in seconds, but it is sufficient for an automated client to issue one or more requests after revocation has nominally occurred.
The vulnerability affects confidentiality and integrity because the resulting tokens can read and modify resources tied to the service account. Availability is not directly impacted.
Root Cause
The root cause is delayed permission propagation in Grafana's authorization layer. The system caches or asynchronously updates the access decision used by the token minting endpoint. Until the cache is refreshed or the change replicates, the previous authorization state remains effective for that user.
Attack Vector
An attacker must already hold high privileges in Grafana and must time requests to coincide with the revocation event. The attack is network-based and does not require user interaction. A malicious or compromised user, anticipating revocation, can script repeated token minting calls and capture any tokens issued during the propagation window. Those tokens then provide persistent access until they are independently revoked or expire.
Detection Methods for CVE-2026-33381
Indicators of Compromise
- Service account tokens created within seconds after a permission revocation event for the requesting user.
- Audit log entries showing successful serviceaccounts:write or token creation actions performed by users whose roles were just changed.
- Use of service account tokens that were minted by a user no longer authorized to mint them.
Detection Strategies
- Correlate Grafana audit logs for permission revocation events against subsequent token creation events from the same actor within a short time window.
- Alert on any token minting activity that occurs after a RolePermissionRemoved or equivalent administrative action targeting the same actor.
- Review service account token inventories for tokens whose creator lacked minting permissions at the time of token use.
Monitoring Recommendations
- Forward Grafana audit logs to a centralized logging platform and retain them for forensic review.
- Track service account token creation rates per user and alert on bursts that coincide with role changes.
- Periodically reconcile active tokens against current user permissions and flag mismatches.
How to Mitigate CVE-2026-33381
Immediate Actions Required
- Apply the Grafana patch documented in the Grafana Security Advisory.
- After revoking a user's token minting permission, immediately audit and rotate any service account tokens the user could have created.
- Restrict service account token minting privileges to a minimal set of administrative accounts.
Patch Information
Grafana has issued a security advisory addressing CVE-2026-33381. Refer to the Grafana Security Advisory for fixed versions and upgrade guidance. Upgrade affected Grafana instances to the patched release before relying on revocation as a control.
Workarounds
- When revoking token minting access, follow the revocation with immediate rotation of existing service account tokens linked to that scope.
- Reduce the blast radius by scoping service accounts to least-privilege roles, limiting what a stolen token can do.
- Consider disabling the affected user account entirely during role transitions, rather than relying solely on permission removal.
# Configuration example: rotate service account tokens after revocation
# Replace SA_ID and TOKEN_ID with values from your Grafana instance
curl -X DELETE \
-H "Authorization: Bearer $ADMIN_TOKEN" \
"https://grafana.example.com/api/serviceaccounts/${SA_ID}/tokens/${TOKEN_ID}"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
