CVE-2026-33186CRITICAL≥ 0, < 1.79.32026-03-18
CVE-2026-33186 [CRITICAL] CWE-285 gRPC-Go has an authorization bypass via missing leading slash in :path
gRPC-Go has an authorization bypass via missing leading slash in :path
### Impact
_What kind of vulnerability is it? Who is impacted?_
It is an **Authorization Bypass** resulting from **Improper Input Validation** of the HTTP/2 `:path` pseudo-header.
The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Ser
ghsaosv