CVE-2026-33377

Description

An Editor can overwrite a dashboard not owned by them to acquire admin on that specific dashboard. The user must have write access to the dashboard to escalate privilege.

CVSS breakdown

CVSS 3.1

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

High

Availability

None

Affected products

Grafana / Grafana OSS8.5.0 – 11.6.14
Grafana / Grafana OSS11.6.14 – 11.6.14+security-04
Grafana / Grafana OSS12.0.0 – 12.2.8
Grafana / Grafana OSS12.2.8 – 12.2.8+security-04
Grafana / Grafana OSS12.3.0 – 12.3.6
Grafana / Grafana OSS12.3.6 – 12.3.6+security-04
Grafana / Grafana OSS12.4.0 – 12.4.3
Grafana / Grafana OSS12.4.3 – 12.4.3+security-02
Grafana / Grafana OSS13.0.0 – 13.0.1
Grafana / Grafana OSS13.0.1 – 13.0.1+security-01

References

VENDOR_ADVISORYhttps://grafana.com/security/security-advisories/cve-2026-33377