What is the CVSS score of CVE-2026-33377?

CVE-2026-33377 has a CVSS 3.1 base score of 7.1 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of Grafana OSS are affected by CVE-2026-33377?

Grafana OSS contains a privilege escalation vulnerability (CVE-2026-33377) that permits authenticated dashboard editors to gain administrative permissions on dashboards outside their authority.. A patch is available.

How to fix or mitigate CVE-2026-33377?

Within 24 hours: Identify all Grafana OSS instances in your environment and document their versions. Within 7 days: Apply patch available per vendor advisory to all affected Grafana instances; consult Grafana security advisories for version-specific guidance. Within 30 days: Audit dashboard ownership and Editor role assignments, particularly in multi-tenant deployments, to identify unauthorized dashboard modifications.

Grafana OSS CVE-2026-33377

EUVD-2026-30143 HIGH

Improper Access Control (CWE-284)

2026-05-13 GRAFANA

GHSA-5cv7-h7gr-wjgh

Authentication Bypass Grafana Oss

7.1

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

7.1 HIGH

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

SUSE

HIGH

qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

Jun 08, 2026 - 10:31 vuln.today

Patch available

May 13, 2026 - 21:02 EUVD

DescriptionCVE.org

An Editor can overwrite a dashboard not owned by them to acquire admin on that specific dashboard. The user must have write access to the dashboard to escalate privilege.

AnalysisAI

Privilege escalation in Grafana OSS allows an authenticated Editor with write access to a dashboard they do not own to overwrite that dashboard and acquire admin permissions on it. The flaw, tracked as CVE-2026-33377 and disclosed by Grafana with patches across multiple maintained branches, has CVSS 7.1 reflecting high integrity impact via low-privileged network access. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Authenticate as Editor with dashboard write access

Delivery

Send dashboard overwrite request to Grafana API

Exploit

Bypass owner check via CWE-284 flaw

Execution

Receive admin permission on target dashboard

Persist

Modify dashboard ACLs and content

Impact

Persist control by removing original owner

Access

Authenticate as Editor with dashboard write access

Delivery

Send dashboard overwrite request to Grafana API

Exploit

Bypass owner check via CWE-284 flaw

Execution

Receive admin permission on target dashboard

Persist

Modify dashboard ACLs and content

Impact

Persist control by removing original owner

Vulnerability AssessmentAI

Exploitation	The attacker must hold a valid Grafana OSS account with the Editor role and must already have write access to the specific target dashboard (granted directly, by team membership, or by folder permissions). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	Signals are mixed and lean toward a moderate, contextual risk rather than urgent. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker holding Editor credentials in a shared Grafana OSS tenant identifies a sensitive dashboard owned by another team to which they have been granted write access (for example, for collaborative editing). Using the dashboard overwrite operation, they trigger the flawed access-control path and obtain Admin permission on that dashboard, allowing them to change its viewers/editors, revoke the original owner's access, and pivot to silently alter what users see (queries, alert thresholds, panels). …
Remediation	Upgrade to a Grafana-released patched build: 11.6.14+security-04, 12.2.8+security-04, 12.3.6+security-04, 12.4.3+security-02, or 13.0.1+security-01, whichever corresponds to your branch, per the Grafana security advisory at https://grafana.com/security/security-advisories/cve-2026-33377. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Grafana OSS instances in your environment and document their versions. …

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: High

Product	Status
SUSE Linux Enterprise Module for Package Hub 15 SP7	Fixed
SUSE Manager Client Tools 15	Fixed
SUSE Manager Client Tools for SLE 15	Fixed
SUSE Multi-Linux Manager Client Tools for SLE 15	Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP4	Fixed

CVE-2026-33377 vulnerability details – vuln.today

Back

Grafana OSS CVE-2026-33377

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Vendor StatusVendor

SUSE

Share

External POC / Exploit Code