Description
Ella Core is a 5G core designed for private networks. Prior to version 1.7.0, the NetworkManager role was granted backup and restore permission. The restore endpoint accepted any valid SQLite file without verifying its contents. A NetworkManager could replace the production database with a tampered copy to escalate to Admin, gaining access to user management, audit logs, debug endpoints, and operator identity configuration that the role was explicitly denied. In version 1.7.0, backup and restore permissions have been removed from the NetworkManager role.
Published: 2026-03-27
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation to Administrative Control
Action: Immediate Patch
AI Analysis

Impact

Ella Core allows the NetworkManager role to restore a database via an endpoint that accepts any valid SQLite file without validating its contents. This flaw permits an authorized NetworkManager to replace the production database with a tampered copy, elevating its permissions to full Administrator. As a result, the attacker gains unrestricted access to user management, audit logs, debug endpoints, and operator identity configuration—capabilities that the role was specifically denied. The weakness is an administrative interface that allows privilege escalation due to inadequate access control, classified as CWE-269.

Affected Systems

The vulnerability exists in the Ella Core 5G core platform developed by ellanetworks. Versions before 1.7.0 grant the NetworkManager role backup and restore permissions, making these releases susceptible. The affected component is the database restore API that reads SQLite files in the core system.

Risk and Exploitability

The CVSS score of 7.2 indicates a high severity. EPSS data is unavailable, and the vulnerability is not listed in CISA’s KEV catalog, suggesting no known publicly exploited instances yet. The likely attack vector requires an adversary to be authenticated as a NetworkManager or to compromise a system where such credentials exist. Once the role’s privileges are leveraged, the attacker can easily replace the database, elevating to Administrator without additional conditions.

Generated by OpenCVE AI on March 28, 2026 at 05:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Ella Core to version 1.7.0 or later, where backup and restore permissions have been removed from the NetworkManager role.
  • If an upgrade is not immediately possible, disable the restore API for NetworkManager or enforce strict validation to ensure only legitimate database files are accepted.

Generated by OpenCVE AI on March 28, 2026 at 05:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-87j9-m7x6-hvw2 Ella Core has Privilege Escalation via Database Restore by NetworkManager role
History

Mon, 20 Apr 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Ellanetworks ella Core
CPEs cpe:2.3:a:ellanetworks:ella_core:*:*:*:*:*:*:*:*
Vendors & Products Ellanetworks ella Core

Tue, 31 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Ellanetworks
Ellanetworks core
Vendors & Products Ellanetworks
Ellanetworks core

Sat, 28 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
Description Ella Core is a 5G core designed for private networks. Prior to version 1.7.0, the NetworkManager role was granted backup and restore permission. The restore endpoint accepted any valid SQLite file without verifying its contents. A NetworkManager could replace the production database with a tampered copy to escalate to Admin, gaining access to user management, audit logs, debug endpoints, and operator identity configuration that the role was explicitly denied. In version 1.7.0, backup and restore permissions have been removed from the NetworkManager role.
Title Ella Core has Privilege Escalation via Database Restore by NetworkManager role
Weaknesses CWE-269
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Ellanetworks Core Ella Core
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-31T18:53:56.905Z

Reserved: 2026-03-24T15:41:47.491Z

Link: CVE-2026-33906

cve-icon Vulnrichment

Updated: 2026-03-31T18:51:15.479Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-27T21:17:26.800

Modified: 2026-04-20T12:33:13.623

Link: CVE-2026-33906

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T07:00:13Z

Weaknesses