Grafana Auth Proxy IPv6 /32 Default Allowlist Vulnerability
CVE-2026-33376 Published on May 13, 2026
Auth Proxy IPv6 whitelist bypass
When using an IPv6 allow-list for the Auth Proxy feature, it defaults to /32 addresses. Addresses specifying a mask explicitly are not affected; to mitigate easily, add the desired mask (usually /128) to the addresses. Only auth proxy is affected; Okta, SAML, LDAP, etc are unaffected here.
Products Associated with CVE-2026-33376
Want to know whenever a new CVE is published for Grafana Labs Grafana? stack.watch will email you.
Affected Versions
Grafana OSS:- Version 9.4.0, <= 11.6.14 is affected.
- Version 11.6.14 and below 11.6.14+security-04 is affected.
- Version 12.0.0, <= 12.2.8 is affected.
- Version 12.2.8 and below 12.2.8+security-04 is affected.
- Version 12.3.0, <= 12.3.6 is affected.
- Version 12.3.6 and below 12.3.6+security-04 is affected.
- Version 12.4.0, <= 12.4.3 is affected.
- Version 12.4.3 and below 12.4.3+security-02 is affected.
- Version 13.0.0, <= 13.0.1 is affected.
- Version 13.0.1 and below 13.0.1+security-01 is affected.