Cyber Resilience

CVE-2026-33377

HighUpdated

Published: 13 May 2026

Published
13 May 2026
Modified
02 June 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
EPSS Score 0.0001 2.0th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-33377 is a high-severity Improper Authentication (CWE-287) vulnerability in Grafana Grafana. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

An Editor can overwrite a dashboard not owned by them to acquire admin on that specific dashboard. The user must have write access to the dashboard to escalate privilege.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Direct improper access control (CWE-284) allows an Editor role to escalate to dashboard admin via unauthorized overwrite, matching Exploitation for Privilege Escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-21721Same product: Grafana Grafana
CVE-2026-33376Same product: Grafana Grafana
CVE-2026-27877Same product: Grafana Grafana
CVE-2026-21720Same product: Grafana Grafana
CVE-2026-27880Same product: Grafana Grafana
CVE-2026-27876Same product: Grafana Grafana
CVE-2026-48898Shared CWE-284
CVE-2026-25176Shared CWE-284
CVE-2026-48899Shared CWE-284
CVE-2026-37526Shared CWE-284

Affected Assets

grafana
grafana
11.6.14, 12.2.8, 12.3.6, 12.4.3, 13.0.0 · 8.5.0 — 11.6.14 · 12.2.0 — 12.2.8 · 12.3.0 — 12.3.6

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-284 CWE-287

The awareness and training policy mandates training on access control practices, directly reducing the likelihood of improper access control weaknesses being introduced or exploited.

addresses: CWE-284 CWE-287

Training covers access control policies and the consequences of improper access grants or usage by users.

addresses: CWE-284 CWE-287

Security training teaches access control policies and enforcement, reducing improper access control implementations.

addresses: CWE-284 CWE-287

Provides capability to review session content, directly detecting violations of access control.

addresses: CWE-284 CWE-287

System audit review detects violations of access controls by identifying unauthorized access attempts.

addresses: CWE-284 CWE-287

Control assessments verify that access controls are implemented correctly and operating as intended, detecting improper access control before exploitation.

addresses: CWE-284 CWE-287

Requiring formal approval, documented controls, and responsibilities for inter-system exchanges directly enforces proper access control between systems.

addresses: CWE-284 CWE-287

Penetration testing simulates unauthorized access attempts, directly detecting and enabling remediation of improper access control weaknesses.

References