{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33906", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-24T15:41:47.491Z", "datePublished": "2026-03-27T20:56:35.079Z", "dateUpdated": "2026-03-31T18:53:56.905Z"}, "containers": {"cna": {"title": "Ella Core has Privilege Escalation via Database Restore by NetworkManager role", "problemTypes": [{"descriptions": [{"cweId": "CWE-269", "lang": "en", "description": "CWE-269: Improper Privilege Management", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/ellanetworks/core/security/advisories/GHSA-87j9-m7x6-hvw2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ellanetworks/core/security/advisories/GHSA-87j9-m7x6-hvw2"}, {"name": "https://github.com/ellanetworks/core/commit/1e4768288a6519fcb63ec83f851584ecebb8a972", "tags": ["x_refsource_MISC"], "url": "https://github.com/ellanetworks/core/commit/1e4768288a6519fcb63ec83f851584ecebb8a972"}, {"name": "https://github.com/ellanetworks/core/releases/tag/v1.7.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/ellanetworks/core/releases/tag/v1.7.0"}], "affected": [{"vendor": "ellanetworks", "product": "core", "versions": [{"version": "< 1.7.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T20:56:35.079Z"}, "descriptions": [{"lang": "en", "value": "Ella Core is a 5G core designed for private networks. Prior to version 1.7.0, the NetworkManager role was granted backup and restore permission. The restore endpoint accepted any valid SQLite file without verifying its contents. A NetworkManager could replace the production database with a tampered copy to escalate to Admin, gaining access to user management, audit logs, debug endpoints, and operator identity configuration that the role was explicitly denied. In version 1.7.0, backup and restore permissions have been removed from the NetworkManager role."}], "source": {"advisory": "GHSA-87j9-m7x6-hvw2", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-31T18:51:14.445855Z", "id": "CVE-2026-33906", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T18:53:56.905Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33906", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-31T18:51:14.445855Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T18:51:15.479Z"}}], "cna": {"title": "Ella Core has Privilege Escalation via Database Restore by NetworkManager role", "source": {"advisory": "GHSA-87j9-m7x6-hvw2", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "ellanetworks", "product": "core", "versions": [{"status": "affected", "version": "< 1.7.0"}]}], "references": [{"url": "https://github.com/ellanetworks/core/security/advisories/GHSA-87j9-m7x6-hvw2", "name": "https://github.com/ellanetworks/core/security/advisories/GHSA-87j9-m7x6-hvw2", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/ellanetworks/core/commit/1e4768288a6519fcb63ec83f851584ecebb8a972", "name": "https://github.com/ellanetworks/core/commit/1e4768288a6519fcb63ec83f851584ecebb8a972", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/ellanetworks/core/releases/tag/v1.7.0", "name": "https://github.com/ellanetworks/core/releases/tag/v1.7.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Ella Core is a 5G core designed for private networks. Prior to version 1.7.0, the NetworkManager role was granted backup and restore permission. The restore endpoint accepted any valid SQLite file without verifying its contents. A NetworkManager could replace the production database with a tampered copy to escalate to Admin, gaining access to user management, audit logs, debug endpoints, and operator identity configuration that the role was explicitly denied. In version 1.7.0, backup and restore permissions have been removed from the NetworkManager role."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-269", "description": "CWE-269: Improper Privilege Management"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T20:56:35.079Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33906", "state": "PUBLISHED", "dateUpdated": "2026-03-31T18:53:56.905Z", "dateReserved": "2026-03-24T15:41:47.491Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-27T20:56:35.079Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ellanetworks:ella_core:*:*:*:*:*:*:*:*", "matchCriteriaId": "9BAD1DBD-ED4B-49AB-A563-C4838F8F8979", "versionEndExcluding": "1.7.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Ella Core is a 5G core designed for private networks. Prior to version 1.7.0, the NetworkManager role was granted backup and restore permission. The restore endpoint accepted any valid SQLite file without verifying its contents. A NetworkManager could replace the production database with a tampered copy to escalate to Admin, gaining access to user management, audit logs, debug endpoints, and operator identity configuration that the role was explicitly denied. In version 1.7.0, backup and restore permissions have been removed from the NetworkManager role."}], "id": "CVE-2026-33906", "lastModified": "2026-04-20T12:33:13.623", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-27T21:17:26.800", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/ellanetworks/core/commit/1e4768288a6519fcb63ec83f851584ecebb8a972"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/ellanetworks/core/releases/tag/v1.7.0"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/ellanetworks/core/security/advisories/GHSA-87j9-m7x6-hvw2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.7.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "core", "source": "cna", "vendor": "ellanetworks"}, "product": "core", "vendor": "ellanetworks"}], "analysis": {"en": {"generated_at": "2026-03-28T05:29:39.946150+00:00", "value": {"mitigation_remediation": ["Update Ella Core to version 1.7.0 or later, where backup and restore permissions have been removed from the NetworkManager role.", "If an upgrade is not immediately possible, disable the restore API for NetworkManager or enforce strict validation to ensure only legitimate database files are accepted."], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation to Administrative Control"}, "threat_synthesis": {"affected_systems": "The vulnerability exists in the Ella Core 5G core platform developed by ellanetworks. Versions before 1.7.0 grant the NetworkManager role backup and restore permissions, making these releases susceptible. The affected component is the database restore API that reads SQLite files in the core system.", "description_and_impact": "Ella Core allows the NetworkManager role to restore a database via an endpoint that accepts any valid SQLite file without validating its contents. This flaw permits an authorized NetworkManager to replace the production database with a tampered copy, elevating its permissions to full Administrator. As a result, the attacker gains unrestricted access to user management, audit logs, debug endpoints, and operator identity configuration\u2014capabilities that the role was specifically denied. The weakness is an administrative interface that allows privilege escalation due to inadequate access control, classified as CWE-269.", "risk_and_exploitability": "The CVSS score of 7.2 indicates a high severity. EPSS data is unavailable, and the vulnerability is not listed in CISA\u2019s KEV catalog, suggesting no known publicly exploited instances yet. The likely attack vector requires an adversary to be authenticated as a NetworkManager or to compromise a system where such credentials exist. Once the role\u2019s privileges are leveraged, the attacker can easily replace the database, elevating to Administrator without additional conditions."}}}}, "created": "2026-03-29T20:29:54.448520+00:00", "updated": "2026-03-30T07:00:13.633335+00:00", "vendors": ["ellanetworks", "ellanetworks$PRODUCT$core"]}