CVE-2026-33906
Published: 27 March 2026
Summary
CVE-2026-33906 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Ellanetworks Ella Core. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 16.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces least privilege by restricting NetworkManager role from unnecessary backup and restore permissions, directly preventing privilege escalation via tampered database restores.
Requires validation of SQLite file contents at the restore endpoint to block tampered databases from being uploaded and executed.
Enforces access control policies to restrict unauthorized roles from accessing the vulnerable restore endpoint.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability description explicitly details how a NetworkManager user can exploit the unauthenticated restore endpoint (accepting any SQLite DB) to tamper with the production database and escalate privileges to Admin, directly mapping to Exploitation for Privilege Escalation.
NVD Description
Ella Core is a 5G core designed for private networks. Prior to version 1.7.0, the NetworkManager role was granted backup and restore permission. The restore endpoint accepted any valid SQLite file without verifying its contents. A NetworkManager could replace the…
more
production database with a tampered copy to escalate to Admin, gaining access to user management, audit logs, debug endpoints, and operator identity configuration that the role was explicitly denied. In version 1.7.0, backup and restore permissions have been removed from the NetworkManager role.
Deeper analysisAI
CVE-2026-33906 affects Ella Core, a 5G core implementation designed for private networks, in versions prior to 1.7.0. The vulnerability stems from the NetworkManager role being granted backup and restore permissions, where the restore endpoint accepts any valid SQLite file without verifying its contents. This improper privilege management (CWE-269) allows a malicious actor to replace the production database with a tampered copy. The issue carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high confidentiality, integrity, and availability impact.
A NetworkManager user, who requires high privileges (PR:H) but can attack over the network with low complexity and no user interaction, can exploit this by uploading a crafted SQLite database via the restore endpoint. Successful exploitation enables privilege escalation to Admin level, granting unauthorized access to sensitive features explicitly denied to the NetworkManager role, including user management, audit logs, debug endpoints, and operator identity configuration.
Mitigation is addressed in Ella Core version 1.7.0, where backup and restore permissions have been removed from the NetworkManager role. Relevant advisories and fixes are detailed in the GitHub security advisory (GHSA-87j9-m7x6-hvw2), the v1.7.0 release notes, and the fixing commit (1e4768288a6519fcb63ec83f851584ecebb8a972). Security practitioners should upgrade to version 1.7.0 or later to remediate the issue.
Details
- CWE(s)