CVE-2026-33186
Authorization Bypass vulnerability in grpc (Go)

Authorization Bypass No known exploit

What is CVE-2026-33186 About?

This vulnerability is an Authorization Bypass due to improper input validation of the HTTP/2 `:path` pseudo-header in gRPC-Go servers. Malformed paths (omitting the leading slash) can bypass authorization interceptors, allowing unauthorized access if a fallback allow rule exists. Exploitation requires the ability to send raw HTTP/2 frames directly to the gRPC server.

Affected Software

google.golang.org/grpc <1.79.3

Technical Details

The gRPC-Go server was overly permissive in its routing, accepting HTTP/2 requests where the :path pseudo-header lacked the mandatory leading slash (e.g., Service/Method instead of /Service/Method). While the server could still route these requests to the correct handler, authorization interceptors, including those from grpc/authz and custom implementations relying on info.FullMethod or grpc.Method(ctx), evaluated the raw, non-canonical path string. This meant that 'deny' rules defined for canonical paths (starting with /) would fail to match these malformed requests, effectively allowing them to bypass the authorization policy if a default or fallback 'allow' rule was in place. The attacker manipulates the :path header at the HTTP/2 layer to exploit this discrepancy.

What is the Impact of CVE-2026-33186?

Successful exploitation may allow attackers to bypass authorization policies, leading to unauthorized access to services or data that should be restricted.

What is the Exploitability of CVE-2026-33186?

Exploitation of this vulnerability is of high complexity, requiring the ability to craft and send raw HTTP/2 frames directly to the gRPC server. No explicit authentication or specific privilege is required for the bypass itself, but the attacker would typically need network access to the gRPC server. The attack is remote. Prerequisites include the gRPC-Go server using path-based authorization interceptors (like grpc/authz) and having authorization policies that include specific 'deny' rules for canonical paths but also a fallback 'allow' rule. Special conditions involve the attacker targeting the HTTP/2 :path pseudo-header to omit the leading slash. Risk factors are increased if the gRPC server is directly exposed to untrusted networks or if proxy configurations do not normalize HTTP/2 pseudo-headers.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2026-33186?

Available Upgrade Options

  • google.golang.org/grpc
    • <1.79.3 → Upgrade to 1.79.3

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2026-33186?

Similar Vulnerabilities: CVE-2023-3978 , CVE-2023-45803 , CVE-2022-21727 , CVE-2022-35105 , CVE-2022-38706

All Rights reserved 2025
Privacy Policy