MEDIUM 5.9

GHSA-wfhv-mj62-f5xh

Grafana: Users can generate Service Account tokens after permissions removal

Details

When a user's access to mint tokens for a service account is revoked, it is sometimes still possible to do so for a few seconds after the event. The user will eventually lose access to do this.

Are you affected?

Enter the version of the package you're using.

Affected packages

Go / github.com/grafana/grafana

Introduced in: 0 Fixed in: 1.9.2-0.20260513165311-fb7336fc36c1

Fix go get github.com/grafana/grafana@v1.9.2-0.20260513165311-fb7336fc36c1

References

https://nvd.nist.gov/vuln/detail/CVE-2026-33381 [ADVISORY]
https://github.com/grafana/grafana/commit/fb7336fc36c14e1ff869482c5085ddb9f39e1b86 [WEB]
https://github.com/grafana/grafana [PACKAGE]
https://grafana.com/security/security-advisories/cve-2026-33381 [WEB]