CVE-2026-33376: IPv6 Auth Proxy Bypass Risk
The National Vulnerability Database has disclosed CVE-2026-33376, a high-severity vulnerability (CVSS 7.4) affecting Auth Proxy features when using IPv6 allow-lists. The core issue stems from a default behavior where IPv6 addresses are treated as /32 instead of the intended /128, unless a specific mask is explicitly defined. This misconfiguration could allow unauthorized access to systems protected by the Auth Proxy.
This vulnerability specifically impacts Auth Proxy deployments relying on IPv6 allow-lists. Services like Okta, SAML, and LDAP are explicitly stated as unaffected. The attacker’s calculus here is straightforward: exploit the implicit /32 mask to bypass intended network segmentation and gain access to protected resources. Defenders must assume that any system configured with an IPv6 allow-list without explicit /128 masks is potentially exposed.
Mitigation is direct: administrators must review all IPv6 allow-list configurations for the Auth Proxy feature. For every IPv6 address, explicitly add the desired mask, typically /128, to ensure that only the intended single host is permitted. This is a critical configuration oversight that could lead to significant unauthorized access if not addressed promptly.
What This Means For You
- If your organization uses an Auth Proxy with IPv6 allow-lists, you are exposed. Review all IPv6 allow-list entries immediately and ensure a /128 mask (or your intended specific mask) is explicitly appended to every address. Do not rely on default implicit masks.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-33376: Auth Proxy IPv6 Bypass Attempt
title: CVE-2026-33376: Auth Proxy IPv6 Bypass Attempt
id: scw-2026-05-13-ai-1
status: experimental
level: high
description: |
Detects attempts to exploit CVE-2026-33376 by bypassing the Auth Proxy's IPv6 allow-list. The vulnerability occurs when the proxy defaults to /32 masks for IPv6 addresses, allowing unauthorized access from unexpected IPv6 ranges that might be misinterpreted. This rule looks for requests to the auth proxy endpoint originating from IPv6 addresses that are likely being used in an attempt to bypass the intended /32 mask restriction, potentially indicating an exploit attempt.
author: SCW Feed Engine (AI-generated)
date: 2026-05-13
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-33376/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: proxy
detection:
selection:
cs-uri-query|contains:
- '/auth/proxy'
src_ip|startswith:
- '::ffff:192.168.1.'
- '::ffff:10.0.0.'
- '::ffff:172.16.0.'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-33376 | Auth Bypass | Auth Proxy feature with IPv6 allow-list |
| CVE-2026-33376 | Misconfiguration | IPv6 allow-list defaults to /32 addresses in Auth Proxy |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 13, 2026 at 23:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CubeCart CVE-2026-45714: Authenticated RCE Via Template Injection
CVE-2026-45714 — CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Server-Side Template Injection (SSTI) vulnerability exists in multiple modules of CubeCart (including...
CubeCart RCE (CVE-2026-45708) Allows Unauthenticated Remote Code Execution
CVE-2026-45708 — CubeCart is an ecommerce software solution. Prior to 6.7.3, an admin with documents edit permission can save raw into the Invoice Editor. The...
Quark Drive Mass Assignment Flaw Grants Admin Takeover
CVE-2026-45229 — Quark Drive before 0.8.5 contains a mass assignment vulnerability in the POST /update endpoint that allows authenticated attackers to overwrite administrator credentials by...