CVE-2026-33377
7.1 HIGHAn Editor can overwrite a dashboard not owned by them to acquire admin on that specific dashboard
Published: 2026-05-13 · Last updated: 2026-06-02
Severity and scoring
- CVSS
- 7.1 HIGH
- Vector
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
- CWE
- CWE-284, CWE-287
Affected products
| Vendor | Product |
|---|---|
| grafana | grafana |
Description
An Editor can overwrite a dashboard not owned by them to acquire admin on that specific dashboard. The user must have write access to the dashboard to escalate privilege.
Source: NVD
References
Related CVEs
Same vendor
- CVE-2026-33381 — When a user's access to mint tokens for a service account is revoked, it is sometimes still possible to do so for a few seconds after the... (5.9 MEDIUM)
- CVE-2026-33380 — A vulnerability in SQL Expressions allows an authenticated attacker to read arbitrary files from the Grafana server's filesystem (6.3 MEDIUM)
- CVE-2026-33378 — Using the $__timeGroup macro, one can achieve an OOM by overloading the server (6.5 MEDIUM)
- CVE-2026-33376 — When using an IPv6 allow-list for the Auth Proxy feature, it defaults to /32 addresses (7.4 HIGH)
- CVE-2026-28383 — A request to the Grafana plugin resources endpoint can cause unbounded memory allocation by reading the entire request body into memory (6.5 MEDIUM)
Same CWE
- CVE-2026-48780 — Forem is open source software for building communities (8.2 HIGH)
- CVE-2026-47261 — Wasmtime is a runtime for WebAssembly (7.5 HIGH)
- CVE-2026-50892 — Incorrect access control in the "Let's Encrypt" certificate download endpoint of Nginx Proxy Manager v2.14.0 allows authenticated attacke... (6.5 MEDIUM)
- CVE-2026-50891 — Incorrect access control in the /admin/api/config component of Filestash v0.4.0 allows attackers to escalate privileges via sending a cra... (8.1 HIGH)
- CVE-2026-50886 — Incorrect access control in the webhook management component of Project Firefly III v6.5.9 allows attackers to scan internal resources vi... (9.1 CRITICAL)