Skip to main content

CVE-2026-33906

HIGH
Improper Privilege Management (CWE-269)
2026-03-26 https://github.com/ellanetworks/core
7.2
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.2 HIGH
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Updated
Apr 20, 2026 - 12:43 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 20, 2026 - 12:37 vuln.today
cvss_changed
Analysis Generated
Mar 26, 2026 - 22:16 vuln.today
Patch released
Mar 26, 2026 - 22:16 nvd
Patch available
CVE Published
Mar 26, 2026 - 22:14 nvd
HIGH 7.2

DescriptionGitHub Advisory

Summary

The NetworkManager role was granted backup and restore permission. The restore endpoint accepted any valid SQLite file without verifying its contents.

Impact

A NetworkManager could replace the production database with a tampered copy to escalate to Admin, gaining access to user management, audit logs, debug endpoints, and operator identity configuration that the role was explicitly denied.

Fix

Backup and restore permissions have been removed from the NetworkManager role.

AnalysisAI

Privilege escalation in ellanetworks/core allows NetworkManager role holders to replace the production SQLite database through an unvalidated restore endpoint, escalating to Admin privileges with full access to user management, audit logs, and system configuration. The NetworkManager role was improperly granted backup/restore permissions, and the restore function accepted arbitrary SQLite files without content validation. Vendor patch available in v1.7.0 (commit 1e47682). EPSS exploitation probability is low (0.03%, 8th percentile), and no active exploitation or public POC identified at time of analysis.

Technical ContextAI

This vulnerability affects the ellanetworks/core Go package, specifically in its role-based access control (RBAC) implementation and database backup/restore functionality. The flaw is classified as CWE-269 (Improper Privilege Management), indicating a design flaw in permission assignment. The NetworkManager role was granted database restore capabilities without implementing integrity checks on restored database files. SQLite, being a file-based database, can be entirely replaced via file operations, and the restore endpoint lacked validation of database schema, content signatures, or role definitions within the uploaded file. This allowed an authenticated user with NetworkManager privileges to craft a malicious SQLite database file containing elevated Admin credentials or modified role definitions, then use the legitimate restore function to atomically replace the production database, bypassing normal privilege escalation protections.

RemediationAI

Upgrade to ellanetworks/core v1.7.0 or later, which removes backup and restore permissions from the NetworkManager role (fix commit 1e4768288a6519fcb63ec83f851584ecebb8a972). Download from https://github.com/ellanetworks/core/releases/tag/v1.7.0. If immediate upgrade is not feasible, implement compensating controls: (1) Audit all NetworkManager role assignments and revoke the role from any accounts that don't require network configuration responsibilities-this directly eliminates the attack vector. (2) Implement external monitoring of database file modifications with alerts on any changes to the SQLite database file outside scheduled maintenance, providing detection of exploitation attempts. (3) If backup/restore functionality is business-critical for NetworkManagers, manually remove the restore permission via role configuration until upgrade (may break operational workflows requiring database recovery). Note that restricting network access (firewall rules) provides minimal value since PR:H indicates the attacker already has authenticated access to the management interface.

Vendor StatusVendor

SUSE

Severity: High

Share

CVE-2026-33906 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy