Golang gRPC – CVE-2026-33186 Detail
A vulnerability has been identified in gRPC-Go versions prior to 1.79.3, allowing for an authorization bypass due to improper input validation of the HTTP/2 `:path` pseudo-header. This flaw permits requests without a leading slash to bypass defined authorization rules, potentially exposing sensitive data. Users are advised to upgrade to version 1.79.3 or implement mitigation strategies to secure their systems.
- ▪The vulnerability affects gRPC-Go servers using path-based authorization interceptors.
- ▪Requests with a `:path` that does not start with a leading slash can bypass authorization rules.
- ▪The issue can be exploited by attackers sending malformed HTTP/2 frames directly to the server.
Opening excerpt (first ~120 words) tap to expand
Vulnerabilities /* wrap the words for CVSS v4 */ #nistv4Metric { word-wrap: break-word; } /* Keep very long reference URLs from expanding the table */ .hyperlink-url-cell, .hyperlink-url-cell a { overflow-wrap: anywhere; word-break: break-word; white-space: normal; } CVE-2026-33186 Detail Description gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`).
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at Nist.
Discussion
0 commentsMore from Nist
