CVE-2026-33186 — Improper Authorization in Grpc-go
Severity
9.1CRITICALNVD
EPSS
0.0%
top 96.66%
CISA KEV
Not in KEV
Exploit
No known exploits
Timeline
PublishedMar 20
Latest updateApr 2
Description
gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc…
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 3.9 | Impact: 5.2
Affected Packages5 packages
🔴Vulnerability Details
8OSV▶
Traefik: Deny Rule Bypass via Unauthenticated Malicious gRPC Requests in gRPC-Go Dependency (CVE-2026-33186) in github.com/traefik/traefik↗2026-04-02
GHSA▶
Traefik: Deny Rule Bypass via Unauthenticated Malicious gRPC Requests in gRPC-Go Dependency (CVE-2026-33186)↗2026-03-29
OSV▶
Traefik: Deny Rule Bypass via Unauthenticated Malicious gRPC Requests in gRPC-Go Dependency (CVE-2026-33186)↗2026-03-29
OSV▶
Authorization bypass in gRPC-Go via missing leading slash in :path in google.golang.org/grpc↗2026-03-27
📋Vendor Advisories
3🕵️Threat Intelligence
1💬Community
1Bugzilla▶
CVE-2026-33186 google.golang.org/grpc/grpc-go: google.golang.org/grpc/authz: gRPC-Go: Authorization bypass due to improper HTTP/2 path validation↗2026-03-20