Developer & Open Source

Golang gRPC – CVE-2026-33186 Detail

1966woodenghost May 21, 2026 0



CVE-2026-33186
Detail




Description

gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, “deny” rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback “allow” rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policy contains specific “deny” rules for canonical paths but allows other requests by default (a fallback “allow” rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. The fix in version 1.79.3 ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy hardening.

Metrics







NVD enrichment efforts reference publicly available information to associate
vector strings. CVSS information contributed by other sources is also
displayed.

CVSS 4.0 Severity and Vector Strings:

References to Advisories, Solutions, and Tools


By selecting these links, you will be leaving NIST webspace.
We have provided these links to other web sites because they
may have information that would be of interest to you. No
inferences should be drawn on account of other sites being
referenced, or not, from this page. There may be other web
sites that are more appropriate for your purpose. NIST does
not necessarily endorse the views expressed, or concur with
the facts presented on these sites. Further, NIST does not
endorse any commercial products that may be mentioned on
these sites. Please address comments about this page to [email protected].

Weakness Enumeration









CWE-ID CWE Name Source

CWE-285
Improper Authorization








GitHub, Inc.  

Change History

2 change records found show changes

Quick Info

CVE Dictionary Entry:
CVE-2026-33186
NVD
Published Date:
03/20/2026
NVD
Last Modified:
04/10/2026

Source:
GitHub, Inc.


Source: nvd.nist.gov…

Related Articles
We will be happy to hear your thoughts

Leave a reply

About Forlifedeals

Forlifedeals is a comprehensive source of independent reviews of the most recent SaaS (Software as a Service) tools and platforms. It is a great resource for businesses, marketers, and agencies, providing expert assessment of software solutions in various categories such as productivity, marketing, sales, and others.

🚀 Get First Access to SaaS Deals – Subscribe Now!

FOR LIFE DEALS
Logo
Register New Account
Compare items
  • Total (0)
Compare
0