CVE-2026-33376: Vulnerability in Grafana Grafana OSS
When using an IPv6 allow-list for the Auth Proxy feature, it defaults to /32 addresses. Addresses specifying a mask explicitly are not affected; to mitigate easily, add the desired mask (usually /128) to the addresses. Only auth proxy is affected; Okta, SAML, LDAP, etc are unaffected here.
AI Analysis
Technical Summary
This vulnerability in Grafana OSS occurs in the Auth Proxy feature's IPv6 allow-list implementation, where IPv6 addresses default to a /32 mask if no mask is specified. This can lead to unintended broader access than intended. Explicitly specifying the mask (usually /128) for IPv6 addresses mitigates the issue. Other authentication methods like Okta, SAML, and LDAP are unaffected. The vulnerability has a CVSS 3.1 base score of 7.4, indicating high severity, with network attack vector, high attack complexity, no privileges required, no user interaction, and impacts confidentiality and integrity but not availability. Multiple versions from 9.4.0 through 13.0.1 are affected. No vendor advisory or patch information is currently available.
Potential Impact
The vulnerability allows an attacker to potentially bypass intended IPv6 address restrictions in the Auth Proxy feature by exploiting the default /32 mask, which is broader than typical /128 masks. This could lead to unauthorized access affecting confidentiality and integrity of the Grafana OSS instance. Other authentication methods remain unaffected. There are no known exploits in the wild at this time.
Mitigation Recommendations
No official patch or remediation level has been provided by the vendor yet. As a workaround, users should explicitly specify the desired IPv6 mask (usually /128) in the allow-list addresses to mitigate the issue. Monitor the vendor's advisory channels for updates on official fixes or patches.
CVE-2026-33376: Vulnerability in Grafana Grafana OSS
Description
When using an IPv6 allow-list for the Auth Proxy feature, it defaults to /32 addresses. Addresses specifying a mask explicitly are not affected; to mitigate easily, add the desired mask (usually /128) to the addresses. Only auth proxy is affected; Okta, SAML, LDAP, etc are unaffected here.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability in Grafana OSS occurs in the Auth Proxy feature's IPv6 allow-list implementation, where IPv6 addresses default to a /32 mask if no mask is specified. This can lead to unintended broader access than intended. Explicitly specifying the mask (usually /128) for IPv6 addresses mitigates the issue. Other authentication methods like Okta, SAML, and LDAP are unaffected. The vulnerability has a CVSS 3.1 base score of 7.4, indicating high severity, with network attack vector, high attack complexity, no privileges required, no user interaction, and impacts confidentiality and integrity but not availability. Multiple versions from 9.4.0 through 13.0.1 are affected. No vendor advisory or patch information is currently available.
Potential Impact
The vulnerability allows an attacker to potentially bypass intended IPv6 address restrictions in the Auth Proxy feature by exploiting the default /32 mask, which is broader than typical /128 masks. This could lead to unauthorized access affecting confidentiality and integrity of the Grafana OSS instance. Other authentication methods remain unaffected. There are no known exploits in the wild at this time.
Mitigation Recommendations
No official patch or remediation level has been provided by the vendor yet. As a workaround, users should explicitly specify the desired IPv6 mask (usually /128) in the allow-list addresses to mitigate the issue. Monitor the vendor's advisory channels for updates on official fixes or patches.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GRAFANA
- Date Reserved
- 2026-03-19T07:55:06.977Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a04d641cbff5d861003f1b8
Added to database: 5/13/2026, 7:51:29 PM
Last enriched: 5/13/2026, 8:07:02 PM
Last updated: 5/14/2026, 6:51:33 AM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.