HIGHCVE-2026-33376Published Modified CNA GRAFANA
CVE-2026-33376: Auth Proxy IPv6 whitelist bypass
When using an IPv6 allow-list for the Auth Proxy feature, it defaults to /32 addresses. Addresses specifying a mask explicitly are not affected; to mitigate easily, add the desired mask (usually /128) to the addresses. Only auth proxy is affected; Okta, SAML, LDAP, etc are unaffected here.
Metrics
- CVSS v3.1
- 7.4
- Severity
- HIGH
- Fixed in
- 11.6.14+security-04
- Affected Products
- 1
Fix available
11.6.14+security-0412.2.8+security-0412.3.6+security-0412.4.3+security-0213.0.1+security-01
Affected packages
- Grafana / Grafana OSS≤ 11.6.14 · < 11.6.14+security-04 (from 11.6.14) · ≤ 12.2.8 · < 12.2.8+security-04 (from 12.2.8) · ≤ 12.3.6 · < 12.3.6+security-04 (from 12.3.6)
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:NReferences