CVEFinder.io

CVE-2026-33377

⚠️ high
🔍 Scan for this CVE
Summary

An Editor can overwrite a dashboard not owned by them to acquire admin on that specific dashboard. The user must have write access to the dashboard to escalate privilege.

CVSS Score
7.1
High
EPSS Score
0.0
Exploit Probability
Published Date
2026-05-13
First Seen: 2026-05-17
📊 Relative Risk Intelligence

This CVE is Moderate Risk - more severe than 53.3% of all 328,009 vulnerabilities in our database.

#153,061
Above average severity
Severity Percentile
🎯 CISA SSVC Assessment Updated: May 16, 2026
🔍 Exploitation Status
None
No known exploits
⚙️ Automatable
NO
Requires human interaction
💥 Technical Impact
Total
Complete system compromise possible
SSVC data provided by CISA
Last Modified 2026-06-02
Source NVD 🔗
CVSS Vector 3.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
CWE IDs (Weakness Types)
CWE-287 CWE-284

📦 Affected Products 10

Vendor Product Status Affected Versions
grafana grafana Affected
> 8.5.0 < 11.6.14
grafana grafana Affected
> 12.2.0 < 12.2.8
grafana grafana Affected
> 12.3.0 < 12.3.6
grafana grafana Affected
> 12.4.0 < 12.4.3
grafana grafana Affected
v11.6.14
grafana grafana Affected
v12.2.8
grafana grafana Affected
v12.3.6
grafana grafana Affected
v12.4.3
grafana grafana Affected
v13.0.0
grafana grafana Affected
v13.0.1

🔗 References 1

https://grafana.com/security/security-advisories/cve...
Vendor Advisory

🔗 Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2026-28374 🔶 medium 4.3 0.0 Editors could delete any annotation, even those they do not have read access to. The editor user cannot create or read t... 2026-05-13
CVE-2026-28376 🔶 medium 6.5 0.0 The Grafana Live push endpoint can be exploited to cause unbounded memory allocation by sending a large or streaming req... 2026-05-13
CVE-2026-28379 🔶 medium 6.5 0.0 A race condition in Grafana Live allows authenticated users with Viewer role to trigger a server crash by sending concur... 2026-05-13
CVE-2026-28380 🔶 medium 6.5 0.0 Any Editor could delete any snapshot, even if they have no access to read or write them. 2026-05-13
CVE-2026-28383 🔶 medium 6.5 0.0 A request to the Grafana plugin resources endpoint can cause unbounded memory allocation by reading the entire request b... 2026-05-13
CVE-2026-33376 ⚠️ high 7.4 0.0 When using an IPv6 allow-list for the Auth Proxy feature, it defaults to /32 addresses. Addresses specifying a mask expl... 2026-05-13
These CVEs affect the same products