CVE-2026-33377
published 2026-05-13CVE-2026-33377: An Editor can overwrite a dashboard not owned by them to acquire admin on that specific dashboard. The user must have write access to the dashboard to escalate…
PriorityP338high7.1CVSS 3.1
AVNACLPRLUINSUCLIHAN
EPSS
0.23%
13.1th percentile
An Editor can overwrite a dashboard not owned by them to acquire admin on that specific dashboard. The user must have write access to the dashboard to escalate privilege.
Affected
20 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| grafana | grafana | — | — |
| grafana | grafana | — | — |
| grafana | grafana | — | — |
| grafana | grafana | — | — |
| grafana | grafana | — | — |
| grafana | grafana | — | — |
| grafana | grafana | >= 12.2.0 < 12.2.8 | 12.2.8 |
| grafana | grafana | >= 12.3.0 < 12.3.6 | 12.3.6 |
| grafana | grafana | >= 12.4.0 < 12.4.3 | 12.4.3 |
| grafana | grafana | >= 8.5.0 < 11.6.14 | 11.6.14 |
| grafana | grafana_oss | >= 11.6.14 < 11.6.14+security-04 | 11.6.14+security-04 |
| grafana | grafana_oss | 12.0.0 – 12.2.8 | — |
| grafana | grafana_oss | >= 12.2.8 < 12.2.8+security-04 | 12.2.8+security-04 |
| grafana | grafana_oss | 12.3.0 – 12.3.6 | — |
| grafana | grafana_oss | >= 12.3.6 < 12.3.6+security-04 | 12.3.6+security-04 |
| grafana | grafana_oss | 12.4.0 – 12.4.3 | — |
| grafana | grafana_oss | >= 12.4.3 < 12.4.3+security-02 | 12.4.3+security-02 |
| grafana | grafana_oss | 13.0.0 – 13.0.1 | — |
| grafana | grafana_oss | >= 13.0.1 < 13.0.1+security-01 | 13.0.1+security-01 |
| grafana | grafana_oss | 8.5.0 – 11.6.14 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Grafana OSS up to 13.0.1+security-00 access control (WID-SEC-2026-1546)
vuldb·2026-05-16·CVSS 7.1
CVE-2026-33377 [HIGH] Grafana OSS up to 13.0.1+security-00 access control (WID-SEC-2026-1546)
A vulnerability was found in Grafana OSS and classified as critical. This impacts an unknown function. Executing a manipulation can lead to improper access controls.
The identification of this vulnerability is CVE-2026-33377. The attack may be launched remotely. There is no exploit available.
It is suggested to upgrade the affected component.
GHSA
GHSA-5cv7-h7gr-wjgh: An Editor can overwrite a dashboard not owned by them to acquire admin on that specific dashboard
ghsa_unreviewed·2026-05-13
CVE-2026-33377 [HIGH] CWE-284 GHSA-5cv7-h7gr-wjgh: An Editor can overwrite a dashboard not owned by them to acquire admin on that specific dashboard
An Editor can overwrite a dashboard not owned by them to acquire admin on that specific dashboard. The user must have write access to the dashboard to escalate privilege.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-13
Published