Home
HIGH: 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:NDefault status
unaffected
9.4.0 (semver)
affected
11.6.14 (custom) before 11.6.14+security-04
affected
12.0.0 (semver)
affected
12.2.8 (custom) before 12.2.8+security-04
affected
12.3.0 (semver)
affected
12.3.6 (custom) before 12.3.6+security-04
affected
12.4.0 (semver)
affected
12.4.3 (custom) before 12.4.3+security-02
affected
13.0.0 (semver)
affected
13.0.1 (custom) before 13.0.1+security-01
affected
Description
When using an IPv6 allow-list for the Auth Proxy feature, it defaults to /32 addresses. Addresses specifying a mask explicitly are not affected; to mitigate easily, add the desired mask (usually /128) to the addresses. Only auth proxy is affected; Okta, SAML, LDAP, etc are unaffected here.
Product status
9.4.0 (semver)
11.6.14 (custom) before 11.6.14+security-04
12.0.0 (semver)
12.2.8 (custom) before 12.2.8+security-04
12.3.0 (semver)
12.3.6 (custom) before 12.3.6+security-04
12.4.0 (semver)
12.4.3 (custom) before 12.4.3+security-02
13.0.0 (semver)
13.0.1 (custom) before 13.0.1+security-01
References
grafana.com/security/security-advisories/cve-2026-33376