The flaw involves Grafana OSS's Auth Proxy feature when IPv6 allow–lists are used. The configuration defaults to a /32 subnet mask, which unintentionally permits any IPv6 address that falls within that /32 range, even if the address is not explicitly listed. An attacker can observe or craft an address that lies within this default mask and drive that address to Grafana, causing the proxy to authenticate the request as permitted and granting unauthorized access. The weakness is a mis‑implementation of network mask validation, identified as CWE‑1188.

Any Grafana OSS installation that has the Auth Proxy feature enabled and a whitelist of IPv6 addresses without explicit masks is susceptible. No particular Grafana version is singled out in the advisory, and the vulnerability is confined to the Auth Proxy; other authentication options such as Okta, SAML, and LDAP are unaffected.

The CVSS score of 7.4 indicates a high severity, while the EPSS score of < 1% suggests a low likelihood of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. A remote attacker could exploit the issue by sending traffic from an IPv6 address that matches the default /32 mask, thereby bypassing the intended whitelist and gaining unauthorized access via the Auth Proxy. The attack requires network access to the Grafana instance and the ability to specify an IPv6 address in the connection headers.