CVE-2026-33377
Analyzed
Analyzed - Analysis Complete
BaseFortify
Vulnerability report for CVE-2026-33377, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-05-13
Last updated on: 2026-06-02
Assigner: Grafana Labs
Description
Description
An Editor can overwrite a dashboard not owned by them to acquire admin on that specific dashboard. The user must have write access to the dashboard to escalate privilege.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| grafana | grafana | From 12.2.0 (inc) to 12.2.8 (exc) |
| grafana | grafana | From 12.3.0 (inc) to 12.3.6 (exc) |
| grafana | grafana | 11.6.14 |
| grafana | grafana | 12.2.8 |
| grafana | grafana | 12.3.6 |
| grafana | grafana | From 12.4.0 (inc) to 12.4.3 (exc) |
| grafana | grafana | 11.6.14 |
| grafana | grafana | 12.2.8 |
| grafana | grafana | 12.3.6 |
| grafana | grafana | 13.0.0 |
| grafana | grafana | 13.0.1 |
| grafana | grafana | 12.4.3 |
| grafana | grafana | From 8.5.0 (inc) to 11.6.14 (exc) |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
