HIGHCVE-2026-33377Published Modified CNA GRAFANA
CVE-2026-33377: Dashboard Import Overwrites ACL — Editor Privilege Escalation to Dashboard Admin
An Editor can overwrite a dashboard not owned by them to acquire admin on that specific dashboard. The user must have write access to the dashboard to escalate privilege.
Metrics
- CVSS v3.1
- 7.1
- Severity
- HIGH
- Fixed in
- 11.6.14+security-04
- Affected Products
- 1
Fix available
11.6.14+security-0412.2.8+security-0412.3.6+security-0412.4.3+security-0213.0.1+security-01
Affected packages
- Grafana / Grafana OSS≤ 11.6.14 · < 11.6.14+security-04 (from 11.6.14) · ≤ 12.2.8 · < 12.2.8+security-04 (from 12.2.8) · ≤ 12.3.6 · < 12.3.6+security-04 (from 12.3.6)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:NReferences