What is CVE-2026-33377?

CVE-2026-33377 is a security advisory published by Grafana Labs Security. Dashboard Import Overwrites ACL — Editor Privilege Escalation to Dashboard Admin

Why does CVE-2026-33377 have no CVE ID yet?

Grafana Labs Security published this advisory directly to customers before NVD assigned a CVE ID. This is the embargo-window disclosure pattern — vendors notify customers on day 0; NVD's public record follows days to weeks later.

CVE-2026-33377Disclosed before NVD

Dashboard Import Overwrites ACL — Editor Privilege Escalation to Dashboard Admin

Vendor

Grafana Labs Security

Published

May 13, 2026

Last Modified

—

📋 Description

An Editor can overwrite a dashboard not owned by them to acquire admin on that specific dashboard. The user must have write access to the dashboard to escalate privilege. This vulnerability was reported via our bug bounty program.

🔗 References (1)

advisoryhttps://grafana.com/security/security-advisories/cve-2026-33377/