CVE-2026-33377
Severity CVSS v4.0:
Pending analysis
Type:
CWE-287
Authentication Issues
Publication date:
13/05/2026
Last modified:
02/06/2026
Description
An Editor can overwrite a dashboard not owned by them to acquire admin on that specific dashboard. The user must have write access to the dashboard to escalate privilege.
Impact
Base Score 3.x
7.10
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:* | 8.5.0 (including) | 11.6.14 (excluding) |
| cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:* | 12.2.0 (including) | 12.2.8 (excluding) |
| cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:* | 12.3.0 (including) | 12.3.6 (excluding) |
| cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:* | 12.4.0 (including) | 12.4.3 (excluding) |
| cpe:2.3:a:grafana:grafana:11.6.14:-:*:*:*:*:*:* | ||
| cpe:2.3:a:grafana:grafana:11.6.14:security01:*:*:*:*:*:* | ||
| cpe:2.3:a:grafana:grafana:12.2.8:-:*:*:*:*:*:* | ||
| cpe:2.3:a:grafana:grafana:12.2.8:security01:*:*:*:*:*:* | ||
| cpe:2.3:a:grafana:grafana:12.3.6:-:*:*:*:*:*:* | ||
| cpe:2.3:a:grafana:grafana:12.3.6:security01:*:*:*:*:*:* | ||
| cpe:2.3:a:grafana:grafana:12.4.3:-:*:*:*:*:*:* | ||
| cpe:2.3:a:grafana:grafana:13.0.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:grafana:grafana:13.0.1:-:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page



