EUVD-2026-30146
GHSA-wfhv-mj62-f5xh
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Network-reachable Grafana API (AV:N), authenticated user required (PR:L), race-window timing raises complexity (AC:H); minted token yields high C/I but no availability impact.
AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
7DescriptionNVD
When a user's access to mint tokens for a service account is revoked, it is sometimes still possible to do so for a few seconds after the event. The user will eventually lose access to do this.
AnalysisAI
Privilege revocation race condition in Grafana OSS allows a user whose service-account token-minting permission was just revoked to continue minting tokens for several seconds after the revocation event. The flaw, tagged as an authentication bypass affecting multiple supported branches of Grafana OSS (11.x, 12.x, 13.x), can yield high confidentiality and integrity impact by granting persistent API access via newly minted service-account tokens. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires an authenticated Grafana OSS user (PR:L) who currently holds - or held within the last few seconds - permission to mint tokens for a target service account, and who issues the mint request during the brief staleness window immediately following revocation. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are split. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A Grafana editor or org admin who anticipates being demoted or offboarded scripts a tight loop that calls the service-account token-mint API. When an administrator revokes their permission, the attacker's loop continues to succeed for a few seconds, producing one or more long-lived API tokens that they then use from any network location to read dashboards, query datasources, or call admin endpoints long after their interactive access is gone. … |
| Remediation | Vendor-released patches are available: upgrade to 11.6.14+security-04, 12.2.8+security-04, 12.3.6+security-04, 12.4.3+security-02, or 13.0.1+security-01 according to your deployed branch, per https://grafana.com/security/security-advisories/cve-2026-33381. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all Grafana OSS deployments and identify instances running versions 11.x, 12.x, or 13.x. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Vendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| SUSE Linux Enterprise Module for Package Hub 15 SP7 | Fixed |
| SUSE Manager Client Tools 15 | Fixed |
| SUSE Manager Client Tools for SLE 15 | Fixed |
| SUSE Multi-Linux Manager Client Tools for SLE 15 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP4 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Fixed |
| openSUSE Leap 15.3 | Fixed |
| openSUSE Leap 15.4 | Fixed |
| openSUSE Leap 15.5 | Fixed |
| openSUSE Leap 15.6 | Fixed |
| SUSE Multi Linux Manager Tools SLE-15 | Fixed |
| ses/7.1/ceph/grafana ses/7/ceph/grafana suse/multi-linux-manager/5.2/x86_64/monitoring-grafana | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today