Auth Proxy IPv6 whitelist bypass
High
| Advisory ID: | CVE-2026-33376 |
| Published: | 2026-05-13 |
| Product: | Grafana |
| CVSS Score: | 7.4 |
| CVSS Vector: | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |
| Fixed Versions: | >=11.6.14+security-04 >=12.2.8+security-04 >=12.3.6+security-04 >=12.4.3+security-02 >=13.0.1+security-01 |
Summary
When using an IPv6 allow-list for the Auth Proxy feature, it defaults to /32 addresses. Addresses specifying a mask explicitly are not affected; to mitigate easily, add the desired mask (usually /128) to the addresses. Only auth proxy is affected; Okta, SAML, LDAP, etc are unaffected here.
This vulnerability was reported via our bug bounty program.