CVE-2026-33906
HIGHSeverity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionGitHub Advisory
Summary
The NetworkManager role was granted backup and restore permission. The restore endpoint accepted any valid SQLite file without verifying its contents.
Impact
A NetworkManager could replace the production database with a tampered copy to escalate to Admin, gaining access to user management, audit logs, debug endpoints, and operator identity configuration that the role was explicitly denied.
Fix
Backup and restore permissions have been removed from the NetworkManager role.
AnalysisAI
Privilege escalation in ellanetworks/core allows NetworkManager role holders to replace the production SQLite database through an unvalidated restore endpoint, escalating to Admin privileges with full access to user management, audit logs, and system configuration. The NetworkManager role was improperly granted backup/restore permissions, and the restore function accepted arbitrary SQLite files without content validation. Vendor patch available in v1.7.0 (commit 1e47682). EPSS exploitation probability is low (0.03%, 8th percentile), and no active exploitation or public POC identified at time of analysis.
Technical ContextAI
This vulnerability affects the ellanetworks/core Go package, specifically in its role-based access control (RBAC) implementation and database backup/restore functionality. The flaw is classified as CWE-269 (Improper Privilege Management), indicating a design flaw in permission assignment. The NetworkManager role was granted database restore capabilities without implementing integrity checks on restored database files. SQLite, being a file-based database, can be entirely replaced via file operations, and the restore endpoint lacked validation of database schema, content signatures, or role definitions within the uploaded file. This allowed an authenticated user with NetworkManager privileges to craft a malicious SQLite database file containing elevated Admin credentials or modified role definitions, then use the legitimate restore function to atomically replace the production database, bypassing normal privilege escalation protections.
RemediationAI
Upgrade to ellanetworks/core v1.7.0 or later, which removes backup and restore permissions from the NetworkManager role (fix commit 1e4768288a6519fcb63ec83f851584ecebb8a972). Download from https://github.com/ellanetworks/core/releases/tag/v1.7.0. If immediate upgrade is not feasible, implement compensating controls: (1) Audit all NetworkManager role assignments and revoke the role from any accounts that don't require network configuration responsibilities-this directly eliminates the attack vector. (2) Implement external monitoring of database file modifications with alerts on any changes to the SQLite database file outside scheduled maintenance, providing detection of exploitation attempts. (3) If backup/restore functionality is business-critical for NetworkManagers, manually remove the restore permission via role configuration until upgrade (may break operational workflows requiring database recovery). Note that restricting network access (firewall rules) provides minimal value since PR:H indicates the attacker already has authenticated access to the management interface.
Same weakness CWE-269 – Improper Privilege Management
View allSame technique Privilege Escalation
View allVendor StatusVendor
SUSE
Severity: HighShare
External POC / Exploit Code
Leaving vuln.today