Primary

Context

Grafana Auth Proxy IPv6 Allow-List Vulnerability

Vulnerability

A vulnerability exists in Grafana's Auth Proxy feature when using an IPv6 allow-list, as it defaults to /32 addresses. This issue allows for potential misconfigurations, since only the Auth Proxy is affected; other authentication methods like Okta, SAML, and LDAP are not impacted. To address this vulnerability, users should specify the desired mask, typically /128, for the addresses in the allow-list.

Impact

Exploitation of this vulnerability could lead to improper authentication proxying, potentially allowing unauthorized access or actions within the application.

Remediation

Users can easily mitigate this vulnerability by adding the appropriate mask, usually /128, to the IPv6 addresses in the allow-list for the Auth Proxy feature.

Added: May 13, 2026, 8:29 PM

Updated: May 13, 2026, 8:29 PM

Vulnerability Rating

Custom Algorithm

spread

6.2

impact

5.0

exploitability

7.4

remediation

7.9

relevance

8.2

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.2

impact

5.0

exploitability

7.4

remediation

7.9

relevance

8.2

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Grafana Auth Proxy IPv6 Allow-List Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Grafana

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating