CVE-2026-33377: Dashboard Privilege Escalation Vulnerability
The National Vulnerability Database has published details on CVE-2026-33377, a high-severity vulnerability (CVSS 7.1) that allows an editor to overwrite a dashboard they do not own. This action, according to the National Vulnerability Database, can lead to privilege escalation, granting the attacker admin rights over that specific dashboard. The prerequisite for exploitation is that the attacker must already possess write access to a dashboard.
This isn’t a zero-day that allows initial access, but it’s a critical horizontal privilege escalation. Once an attacker has a foothold as an editor, they can leverage this flaw to gain admin control over sensitive dashboards, potentially exposing confidential information or enabling further lateral movement within the environment. The attacker’s calculus here is straightforward: elevate privileges from a standard editor role to a more powerful dashboard administrator, broadening their reach and potential impact.
For defenders, the lack of specific affected products from the National Vulnerability Database means a broad risk assessment is necessary. Any application with a dashboarding feature that allows user-generated or user-managed dashboards, particularly those with role-based access controls for ‘editors’ and ‘admins,’ should be scrutinized. This vulnerability highlights a common design flaw where write permissions on one object can be leveraged to compromise another, circumventing intended ownership boundaries.
What This Means For You
- If your organization uses any dashboarding solution where users can create or modify dashboards, you need to assess how it handles ownership and write permissions. Verify that an editor cannot overwrite or modify dashboards not explicitly assigned to them. Prioritize reviewing access controls for all dashboarding platforms, especially those handling sensitive data or operational controls.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-33377: Dashboard Privilege Escalation via Unauthorized Overwrite
title: CVE-2026-33377: Dashboard Privilege Escalation via Unauthorized Overwrite
id: scw-2026-05-13-ai-1
status: experimental
level: high
description: |
Detects an attempt to overwrite an existing dashboard using a PUT request with the 'overwrite=true' parameter. This specific pattern, when combined with the context of an Editor user having write access to a dashboard not owned by them, signifies a potential privilege escalation attempt as described in CVE-2026-33377, allowing them to gain admin privileges on that specific dashboard.
author: SCW Feed Engine (AI-generated)
date: 2026-05-13
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-33377/
tags:
- attack.privilege_escalation
- attack.t1078.004
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/api/dashboards/'
cs-method:
- 'PUT'
sc-status:
- '200'
cs-uri-query|contains:
- 'overwrite=true'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-33377 | Privilege Escalation | Editor role can overwrite dashboards not owned by them |
| CVE-2026-33377 | Auth Bypass | User with write access to a dashboard can acquire admin on that specific dashboard |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 13, 2026 at 23:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CubeCart CVE-2026-45714: Authenticated RCE Via Template Injection
CVE-2026-45714 — CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Server-Side Template Injection (SSTI) vulnerability exists in multiple modules of CubeCart (including...
CubeCart RCE (CVE-2026-45708) Allows Unauthenticated Remote Code Execution
CVE-2026-45708 — CubeCart is an ecommerce software solution. Prior to 6.7.3, an admin with documents edit permission can save raw into the Invoice Editor. The...
Quark Drive Mass Assignment Flaw Grants Admin Takeover
CVE-2026-45229 — Quark Drive before 0.8.5 contains a mass assignment vulnerability in the POST /update endpoint that allows authenticated attackers to overwrite administrator credentials by...