CVE-2026-33376 Overview
CVE-2026-33376 affects the Grafana Auth Proxy feature when administrators configure an IPv6 allow-list. The Auth Proxy applies a default /32 prefix length to IPv6 entries that omit an explicit mask. The default is intended for IPv4 and produces an incorrect network range for IPv6 addresses. This misinterpretation can broaden or narrow the trusted range beyond operator intent, weakening the access control boundary on the Auth Proxy endpoint. Only the Auth Proxy authentication method is impacted. Okta, SAML, LDAP, and other authentication backends are not affected by this issue.
Critical Impact
Misconfigured IPv6 allow-lists can permit unauthorized network sources to reach Auth Proxy authentication, enabling identity spoofing under specific network conditions.
Affected Products
- Grafana deployments using the Auth Proxy feature with IPv6 allow-list entries lacking an explicit prefix mask
- Refer to the Grafana Security Advisory CVE-2026-33376 for affected version ranges
Discovery Timeline
- 2026-05-13 - CVE-2026-33376 published to the National Vulnerability Database
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-33376
Vulnerability Analysis
The Auth Proxy feature accepts a list of trusted client addresses or networks. When an operator supplies an IPv6 address without a prefix length, Grafana applies a default mask of /32. For IPv4, /32 represents a single host. For IPv6, /32 represents a network of 2^96 addresses, which is far broader than a single host. The resulting allow-list entry can either match an unexpectedly large block of IPv6 addresses or, depending on parsing behavior, fail to match the intended host at all.
An attacker who controls any address within the over-broad IPv6 prefix can present requests to the Auth Proxy and assert arbitrary user identities through the trusted header. Exploitation requires network adjacency or routing into the affected IPv6 range, which raises attack complexity. Successful exploitation grants authenticated access as the impersonated user, with confidentiality and integrity impact to Grafana data and dashboards.
Root Cause
The root cause is an insecure default configuration [CWE-1188] combined with improper handling of address family semantics. The allow-list parser does not adjust the default prefix length based on whether the input is IPv4 or IPv6, producing a logically incorrect network range for IPv6 entries.
Attack Vector
The attack vector is network based. An adversary must source traffic from an IPv6 address that falls within the unintentionally trusted /32 range and send requests to the Auth Proxy endpoint with a spoofed identity header. No authentication or user interaction is required.
No verified exploitation code is published. The Grafana advisory describes the misconfiguration and remediation in prose.
Detection Methods for CVE-2026-33376
Indicators of Compromise
- Auth Proxy authentication events for users that did not originate from approved administrative networks
- Successful logins where the source IPv6 address falls outside the intended single-host scope but within the /32 aggregate
- Unexpected creation, modification, or access of dashboards correlated with anomalous source addresses
Detection Strategies
- Audit the Grafana auth.proxy configuration block and enumerate any IPv6 entries that lack an explicit prefix length
- Correlate Grafana authentication logs with network flow data to identify Auth Proxy sessions from unexpected IPv6 prefixes
- Compare the effective parsed allow-list to the intended list of hosts and flag any entry that resolves to a range larger than /128
Monitoring Recommendations
- Forward Grafana authentication and audit logs to a centralized analytics platform and alert on Auth Proxy logins from new source prefixes
- Track changes to grafana.ini and any configuration management templates that define whitelist values for Auth Proxy
- Review reverse proxy and load balancer logs in front of Grafana for header injection patterns against the Auth Proxy path
How to Mitigate CVE-2026-33376
Immediate Actions Required
- Inventory all Grafana instances using auth.proxy and review the whitelist directive for IPv6 entries
- Append an explicit prefix length to every IPv6 allow-list entry, using /128 for single hosts
- Restrict network reachability of the Auth Proxy endpoint to trusted reverse proxy hosts using firewall or service mesh policy
Patch Information
Consult the Grafana Security Advisory CVE-2026-33376 for fixed versions and upgrade guidance. The advisory also confirms that Okta, SAML, LDAP, and other authentication providers are not affected and do not require changes.
Workarounds
- Add an explicit mask such as /128 to every IPv6 address in the Auth Proxy allow-list to override the unsafe default
- Temporarily disable the Auth Proxy method and rely on Okta, SAML, or LDAP authentication until configurations are corrected
- Place Grafana behind a reverse proxy that performs source address validation before forwarding the trusted identity header
# Configuration example: grafana.ini auth.proxy section
[auth.proxy]
enabled = true
header_name = X-WEBAUTH-USER
header_property = username
# Use explicit /128 for single IPv6 hosts to avoid the unsafe /32 default
whitelist = 2001:db8::1/128, 2001:db8::2/128, 192.0.2.10/32
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
