Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-33376

Summary
Assigner-GRAFANA
Assigner Org ID-57da9224-a3e2-4646-9d0e-c4dc2e05e7da
Published At-13 May, 2026 | 19:28
Updated At-22 Jun, 2026 | 16:31
Rejected At-
Credits

Auth Proxy IPv6 whitelist bypass

When using an IPv6 allow-list for the Auth Proxy feature, it defaults to /32 addresses. Addresses specifying a mask explicitly are not affected; to mitigate easily, add the desired mask (usually /128) to the addresses. Only auth proxy is affected; Okta, SAML, LDAP, etc are unaffected here.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:GRAFANA
Assigner Org ID:57da9224-a3e2-4646-9d0e-c4dc2e05e7da
Published At:13 May, 2026 | 19:28
Updated At:22 Jun, 2026 | 16:31
Rejected At:
▼CVE Numbering Authority (CNA)
Auth Proxy IPv6 whitelist bypass

When using an IPv6 allow-list for the Auth Proxy feature, it defaults to /32 addresses. Addresses specifying a mask explicitly are not affected; to mitigate easily, add the desired mask (usually /128) to the addresses. Only auth proxy is affected; Okta, SAML, LDAP, etc are unaffected here.

Affected Products
Vendor
Grafana LabsGrafana
Product
Grafana OSS
Default Status
unaffected
Versions
Affected
  • From 9.4.0 through 11.6.14 (semver)
  • From 11.6.14 before 11.6.14+security-04 (custom)
  • From 12.0.0 through 12.2.8 (semver)
  • From 12.2.8 before 12.2.8+security-04 (custom)
  • From 12.3.0 through 12.3.6 (semver)
  • From 12.3.6 before 12.3.6+security-04 (custom)
  • From 12.4.0 through 12.4.3 (semver)
  • From 12.4.3 before 12.4.3+security-02 (custom)
  • From 13.0.0 through 13.0.1 (semver)
  • From 13.0.1 before 13.0.1+security-01 (custom)
Metrics
VersionBase scoreBase severityVector
3.17.4HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Version: 3.1
Base score: 7.4
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://grafana.com/security/security-advisories/cve-2026-33376
vendor-advisory
Hyperlink: https://grafana.com/security/security-advisories/cve-2026-33376
Resource:
vendor-advisory
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Problem Types
TypeCWE IDDescription
CWECWE-1188CWE-1188 Initialization of a Resource with an Insecure Default
Type: CWE
CWE ID: CWE-1188
Description: CWE-1188 Initialization of a Resource with an Insecure Default
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@grafana.com
Published At:13 May, 2026 | 20:16
Updated At:02 Jun, 2026 | 19:28

When using an IPv6 allow-list for the Auth Proxy feature, it defaults to /32 addresses. Addresses specifying a mask explicitly are not affected; to mitigate easily, add the desired mask (usually /128) to the addresses. Only auth proxy is affected; Okta, SAML, LDAP, etc are unaffected here.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.17.4HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Type: Secondary
Version: 3.1
Base score: 7.4
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
CPE Matches

Grafana Labs
grafana
>>grafana>>Versions from 8.5.0(inclusive) to 11.6.14(exclusive)
cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*
Grafana Labs
grafana
>>grafana>>Versions from 12.2.0(inclusive) to 12.2.8(exclusive)
cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*
Grafana Labs
grafana
>>grafana>>Versions from 12.3.0(inclusive) to 12.3.6(exclusive)
cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*
Grafana Labs
grafana
>>grafana>>Versions from 12.4.0(inclusive) to 12.4.3(exclusive)
cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*
Grafana Labs
grafana
>>grafana>>11.6.14
cpe:2.3:a:grafana:grafana:11.6.14:-:*:*:*:*:*:*
Grafana Labs
grafana
>>grafana>>11.6.14
cpe:2.3:a:grafana:grafana:11.6.14:security01:*:*:*:*:*:*
Grafana Labs
grafana
>>grafana>>12.2.8
cpe:2.3:a:grafana:grafana:12.2.8:-:*:*:*:*:*:*
Grafana Labs
grafana
>>grafana>>12.2.8
cpe:2.3:a:grafana:grafana:12.2.8:security01:*:*:*:*:*:*
Grafana Labs
grafana
>>grafana>>12.3.6
cpe:2.3:a:grafana:grafana:12.3.6:-:*:*:*:*:*:*
Grafana Labs
grafana
>>grafana>>12.3.6
cpe:2.3:a:grafana:grafana:12.3.6:security01:*:*:*:*:*:*
Grafana Labs
grafana
>>grafana>>12.4.3
cpe:2.3:a:grafana:grafana:12.4.3:-:*:*:*:*:*:*
Grafana Labs
grafana
>>grafana>>13.0.0
cpe:2.3:a:grafana:grafana:13.0.0:*:*:*:*:*:*:*
Grafana Labs
grafana
>>grafana>>13.0.1
cpe:2.3:a:grafana:grafana:13.0.1:-:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-1188Secondary134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE ID: CWE-1188
Type: Secondary
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://grafana.com/security/security-advisories/cve-2026-33376security@grafana.com
Vendor Advisory
Hyperlink: https://grafana.com/security/security-advisories/cve-2026-33376
Source: security@grafana.com
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

1Records found

CVE-2025-13357
Matching Score-4
Assigner-HashiCorp Inc.
ShareView Details
Matching Score-4
Assigner-HashiCorp Inc.
CVSS Score-7.4||HIGH
EPSS-0.49% / 38.68%
||
7 Day CHG~0.00%
Published-21 Nov, 2025 | 15:02
Updated-17 Apr, 2026 | 17:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Vault Terraform Provider Applied Incorrect Defaults for LDAP Auth Method

Vault’s Terraform Provider incorrectly set the default deny_null_bind parameter for the LDAP auth method to false by default, potentially resulting in an insecure configuration. If the underlying LDAP server allowed anonymous or unauthenticated binds, this could result in authentication bypass. This vulnerability, CVE-2025-13357, is fixed in Vault Terraform Provider v5.5.0.

Action-Not Available
Vendor-HashiCorp, Inc.
Product-terraform_providerTooling
CWE ID-CWE-1188
Initialization of a Resource with an Insecure Default
Details not found