Platform
go
Component
github.com/ellanetworks/core
Fixed in
1.7.1
1.7.0
CVE-2026-33906 describes a Privilege Escalation vulnerability discovered in Ella Core. This flaw allows an attacker with NetworkManager role privileges to escalate their access through a database restore operation. The vulnerability affects versions prior to 1.7.0 and has been published on 2026-04-02. A fix is available in version 1.7.0.
Successful exploitation of CVE-2026-33906 could allow an attacker to gain significantly elevated privileges within the Ella Core system. An attacker with existing NetworkManager role access could leverage this vulnerability to bypass access controls and potentially compromise sensitive data or system configurations. The blast radius extends to any data or functionality accessible by users with higher privileges than the initial attacker. This could include access to network configurations, routing tables, and potentially even control over connected devices, depending on Ella Core's functionality and deployment. While no specific real-world precedent is immediately apparent, privilege escalation vulnerabilities often lead to widespread compromise if exploited.
The vulnerability's exploitation context is currently unclear, with no immediate reports of active exploitation campaigns. The vulnerability is not listed on KEV (Kernel Exploit Vulnerability) as of this writing. The EPSS (Exploit Prediction Scoring System) score is pending evaluation. Public proof-of-concept (POC) code is not currently available, but the nature of the vulnerability suggests that it could be relatively straightforward to exploit once a POC is developed.
Exploit Status
EPSS
0.04% (11% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-33906 is to upgrade Ella Core to version 1.7.0 or later, which contains the fix. If an immediate upgrade is not feasible, consider restricting access to the database restore functionality to only authorized personnel. Implement strict role-based access controls to limit the privileges of the NetworkManager role. Monitor database activity logs for suspicious restore operations. While a direct WAF rule isn't applicable, consider implementing network segmentation to limit the potential impact of a successful exploit. After upgrading, verify the fix by attempting a database restore with a user possessing the NetworkManager role and confirming that privilege escalation is prevented.
Actualice Ella Core a la versión 1.7.0 o posterior. Esta versión corrige la vulnerabilidad de escalada de privilegios al eliminar los permisos de copia de seguridad y restauración del rol NetworkManager.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33906 is a HIGH severity vulnerability in Ella Core versions before 1.7.0. It allows an attacker with NetworkManager role access to escalate privileges via database restore, potentially gaining control of the system.
You are affected if you are running Ella Core versions prior to 1.7.0 and have not implemented compensating controls to restrict database restore access.
Upgrade Ella Core to version 1.7.0 or later. If immediate upgrade is not possible, restrict access to the database restore functionality and implement strict role-based access controls.
There are currently no public reports of active exploitation campaigns for CVE-2026-33906, but the vulnerability's nature suggests potential for exploitation.
Refer to the Ella Networks security advisories page for the latest information and official advisory regarding CVE-2026-33906. (Link to advisory would be placed here if available)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.