Cyber Resilience

CVE-2026-33906

High

Published: 27 March 2026

Published
27 March 2026
Modified
20 April 2026
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 5.5th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-33906 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Ellanetworks Ella Core. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 5.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-33906 affects Ella Core, a 5G core implementation designed for private networks, in versions prior to 1.7.0. The vulnerability stems from the NetworkManager role being granted backup and restore permissions, where the restore endpoint accepts any valid SQLite file without verifying its contents. This improper privilege management (CWE-269) allows a malicious actor to replace the production database with a tampered copy. The issue carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high confidentiality, integrity, and availability impact.

A NetworkManager user, who requires high privileges (PR:H) but can attack over the network with low complexity and no user interaction, can exploit this by uploading a crafted SQLite database via the restore endpoint. Successful exploitation enables privilege escalation to Admin level, granting unauthorized access to sensitive features explicitly denied to the NetworkManager role, including user management, audit logs, debug endpoints, and operator identity configuration.

Mitigation is addressed in Ella Core version 1.7.0, where backup and restore permissions have been removed from the NetworkManager role. Relevant advisories and fixes are detailed in the GitHub security advisory (GHSA-87j9-m7x6-hvw2), the v1.7.0 release notes, and the fixing commit (1e4768288a6519fcb63ec83f851584ecebb8a972). Security practitioners should upgrade to version 1.7.0 or later to remediate the issue.

EU & UK References

Vulnerability details

Ella Core is a 5G core designed for private networks. Prior to version 1.7.0, the NetworkManager role was granted backup and restore permission. The restore endpoint accepted any valid SQLite file without verifying its contents. A NetworkManager could replace the…

more

production database with a tampered copy to escalate to Admin, gaining access to user management, audit logs, debug endpoints, and operator identity configuration that the role was explicitly denied. In version 1.7.0, backup and restore permissions have been removed from the NetworkManager role.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

The vulnerability description explicitly details how a NetworkManager user can exploit the unauthenticated restore endpoint (accepting any SQLite DB) to tamper with the production database and escalate privileges to Admin, directly mapping to Exploitation for Privilege Escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-33282Same product: Ellanetworks Ella Core
CVE-2026-33281Same product: Ellanetworks Ella Core
CVE-2026-33283Same product: Ellanetworks Ella Core
CVE-2026-32320Same product: Ellanetworks Ella Core
CVE-2026-32319Same product: Ellanetworks Ella Core
CVE-2024-44250Shared CWE-269
CVE-2024-53706Shared CWE-269
CVE-2025-66374Shared CWE-269
CVE-2026-28995Shared CWE-269
CVE-2025-43199Shared CWE-269

Affected Assets

ellanetworks
ella core
≤ 1.7.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces least privilege by restricting NetworkManager role from unnecessary backup and restore permissions, directly preventing privilege escalation via tampered database restores.

prevent

Requires validation of SQLite file contents at the restore endpoint to block tampered databases from being uploaded and executed.

prevent

Enforces access control policies to restrict unauthorized roles from accessing the vulnerable restore endpoint.

References