cbcvebase.
CVE-2026-33186
published 2026-03-20

CVE-2026-33186: gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2…

PriorityP263critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
1.56%
72.1th percentile
gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, "deny" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback "allow" rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policy contains specific "deny" rules for canonical paths but allows other requests by default (a fallback "allow" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. The fix in version 1.79.3 ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy hardening.

Affected

9 ranges
VendorProductVersion rangeFixed in
debiangolang-google-grpc
github.comtraefik_traefik_v2>= 0 < 2.11.422.11.42
github.comtraefik_traefik_v3>= 3.0.0-beta3 < 3.6.123.6.12
github.comtraefik_traefik_v3>= 3.7.0-ea.1 < 3.7.0-ea.33.7.0-ea.3
google.golang.orggrpc>= 0 < 1.79.31.79.3
grpcgrpc< 1.79.31.79.3
grpcgrpc-go< 1.79.31.79.3
msrcazl3_grpc_1.62.3-1_on_azure_linux_3.0
msrccbl2_grpc_1.42.0-11_on_cbl_mariner_2.0

Detection & IOCsextracted from sources · hover to see the quote

  • Detect HTTP/2 requests where the :path pseudo-header does not begin with a leading slash (e.g., `Service/Method` instead of `/Service/Method`), which is the malformed input used to exploit this authorization bypass.
  • Flag or block gRPC-over-HTTP/2 requests where the raw :path value does not start with '/'; these requests should be rejected with codes.Unimplemented in patched versions but will be silently routed in vulnerable ones.
  • Monitor for exploitation attempts by inspecting raw HTTP/2 frames sent directly to gRPC servers for malformed :path headers lacking a leading slash.
  • ·Vulnerability only affects gRPC-Go servers using path-based authorization interceptors (e.g., google.golang.org/grpc/authz RBAC, or custom interceptors relying on info.FullMethod or grpc.Method(ctx)) AND that have a policy with specific 'deny' rules for canonical paths combined with a fallback 'allow' rule. Servers without this policy pattern are not exploitable.
  • ·Authorization interceptors evaluate the raw, non-canonical path string, causing 'deny' rules defined with canonical paths (starting with '/') to fail to match the incoming malformed request, allowing bypass when a fallback 'allow' rule is present.
  • ·Affected versions are gRPC-Go prior to 1.79.3. Upgrading to 1.79.3 is the recommended fix; mitigations include a validating interceptor, infrastructure-level normalization, and/or policy hardening.

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
ghsa9.1CRITICAL
osv9.1CRITICAL
vendor_debian9.1CRITICAL
vendor_redhat9.1CRITICAL
vendor_msrc8.1HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.