Skip to main content

Grafana OSS CVE-2026-33376

| EUVD-2026-30142 HIGH
Initialization of a Resource with an Insecure Default (CWE-1188)
2026-05-13 GRAFANA GHSA-3r2p-7499-27q3
Information Disclosure Grafana Oss
7.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.4 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 08, 2026 - 09:44 vuln.today
Patch available
May 13, 2026 - 21:02 EUVD

DescriptionCVE.org

When using an IPv6 allow-list for the Auth Proxy feature, it defaults to /32 addresses. Addresses specifying a mask explicitly are not affected; to mitigate easily, add the desired mask (usually /128) to the addresses. Only auth proxy is affected; Okta, SAML, LDAP, etc are unaffected here.

AnalysisAI

Authentication bypass in Grafana OSS Auth Proxy allows remote attackers to circumvent IPv6 allow-list restrictions because the feature applies a /32 default mask to IPv6 addresses instead of the appropriate /128, dramatically widening the trusted address space and potentially admitting unauthorized clients into authenticated sessions. The flaw is confined to the Auth Proxy authentication path - Okta, SAML, and LDAP integrations are unaffected - and at this time there is no public exploit identified at time of analysis, with EPSS at 0.03% and SSVC marking exploitation as 'none.'

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify Grafana with Auth Proxy and IPv6 allow-list
Delivery
Position within the over-broad /32 IPv6 range
Exploit
Send HTTP request with forged X-WEBAUTH-USER header
Execution
Bypass allow-list due to default /32 mask
Persist
Grafana accepts pre-authenticated identity
Impact
Access dashboards and modify data as target user
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target deployment (a) uses the Auth Proxy authentication provider, (b) configures its allow-list with at least one IPv6 entry written without an explicit CIDR mask, and (c) is reachable by the attacker from somewhere inside the resulting /32 IPv6 range that Grafana mistakenly trusts. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed but coherent: CVSS 7.4 with C:H/I:H/A:N reflects the severity of an authentication bypass leading to confidentiality and integrity loss, while AC:H accurately captures that exploitation requires a non-default but realistic misconfiguration (IPv6 deployment of Auth Proxy with mask-less entries). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker on the same IPv6 /32 block as the legitimate reverse proxy - for instance, sharing a hosting provider, cloud region, or transit network with the Grafana operator - crafts HTTP requests directly to the Grafana backend including the X-WEBAUTH-USER header with an admin username. Because the source address falls within the over-broad /32 range that Grafana treats as trusted Auth Proxy origin, the request is accepted as pre-authenticated and the attacker obtains the targeted user's session and dashboards. …
Remediation Vendor-released patches are available - upgrade Grafana OSS to 11.6.14+security-04, 12.2.8+security-04, 12.3.6+security-04, 12.4.3+security-02, or 13.0.1+security-01 depending on your release line, per the Grafana security advisory at https://grafana.com/security/security-advisories/cve-2026-33376. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

24 hours: Identify all Grafana OSS instances with IPv6 enabled and document current IPv6 allow-list configurations to establish remediation scope. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Module for Package Hub 15 SP7 Fixed
SUSE Manager Client Tools 15 Fixed
SUSE Manager Client Tools for SLE 15 Fixed
SUSE Multi-Linux Manager Client Tools for SLE 15 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP4 Fixed

Share

CVE-2026-33376 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy