Dashboard Import Overwrites ACL — Editor Privilege Escalation to Dashboard...

7.1 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

Description

An Editor can overwrite a dashboard not owned by them to acquire admin on that specific dashboard. The user must have write access to the dashboard to escalate privilege.

Basic Information

ID CVE-2026-33377

Source GRAFANA

Published May 13, 2026 at 19:28

Modified May 13, 2026 at 19:35

Affected Product

Vendor Grafana

Product Grafana OSS

Version 8.5.0

Affected Versions Grafana Grafana OSS 8.5.0
Grafana Grafana OSS 11.6.14
Grafana Grafana OSS 12.0.0
Grafana Grafana OSS 12.2.8
Grafana Grafana OSS 12.3.0
Grafana Grafana OSS 12.3.6
Grafana Grafana OSS 12.4.0
Grafana Grafana OSS 12.4.3
Grafana Grafana OSS 13.0.0
Grafana Grafana OSS 13.0.1

References

grafana.com /security/security-advisories/cve-2026-33377

{
    "lastseen": "",
    "description": "An Editor can overwrite a dashboard not owned by them to acquire admin on that specific dashboard. The user must have write access to the dashboard to escalate privilege.",
    "published": "2026-05-13T19:28:28.154Z",
    "modified": "2026-05-13T19:35:08.443Z",
    "type": "cve",
    "title": "Dashboard Import Overwrites ACL \u2014 Editor Privilege Escalation to Dashboard Admin",
    "source": "GRAFANA",
    "references": "https://grafana.com/security/security-advisories/cve-2026-33377",
    "id": "CVE-2026-33377",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Grafana Grafana OSS 8.5.0\nGrafana Grafana OSS 11.6.14\nGrafana Grafana OSS 12.0.0\nGrafana Grafana OSS 12.2.8\nGrafana Grafana OSS 12.3.0\nGrafana Grafana OSS 12.3.6\nGrafana Grafana OSS 12.4.0\nGrafana Grafana OSS 12.4.3\nGrafana Grafana OSS 13.0.0\nGrafana Grafana OSS 13.0.1",
    "sourceHref": "",
    "cvss": {
        "score": 7.1,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Grafana OSS",
    "version": "8.5.0",
    "vendor": "Grafana",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Dashboard Import Overwrites ACL — Editor Privilege Escalation to Dashboard Admin_CVE-2026-33377

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply