Dashboard Import Overwrites ACL — Editor Privilege Escalation to Dashboard Admin
High
| Advisory ID: | CVE-2026-33377 |
| Published: | 2026-05-13 |
| Product: | Grafana |
| CVSS Score: | 7.1 |
| CVSS Vector: | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N |
| Fixed Versions: | >=11.6.14+security-04 >=12.2.8+security-04 >=12.3.6+security-04 >=12.4.3+security-02 >=13.0.1+security-01 |
Summary
An Editor can overwrite a dashboard not owned by them to acquire admin on that specific dashboard. The user must have write access to the dashboard to escalate privilege.
This vulnerability was reported via our bug bounty program.