PT-2026-26207 · Google · Grpc-Go

Mariuszmaik

·

Published

2026-03-18

·

Updated

2026-05-08

·

CVE-2026-33186

CVSS v3.1

9.8

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions: gRPC-Go versions prior to 1.79.3
Description: gRPC-Go is vulnerable to an authorization bypass due to improper input validation of the HTTP/2 :path pseudo-header. The server incorrectly routes requests with missing leading slashes in the :path header, allowing attackers to bypass authorization checks if relying on path-based authorization interceptors (like grpc/authz) with a 'deny' rule for canonical paths and a fallback 'allow' rule. An attacker can exploit this by sending raw HTTP/2 frames with malformed :path headers directly to the gRPC server. There have been reports of increased actor activities targeting gRPC-Go (CVE-2026-33186).
Recommendations: Upgrade to gRPC-Go version 1.79.3 or later. As a temporary workaround, implement a validating interceptor to reject requests with malformed paths, enforce infrastructure-level normalization of the :path header, or harden authorization policies to a 'default deny' posture.

Exploit

Fix

Improper Authorization

Weakness Enumeration

CWE-285

Related Identifiers

BDU:2026-04598
CLEANSTART-2026-AC01087
CLEANSTART-2026-AD71344
CLEANSTART-2026-AE87452
CLEANSTART-2026-AM88528
CLEANSTART-2026-AP81168
CLEANSTART-2026-AT91215
CLEANSTART-2026-BA09462
CLEANSTART-2026-BD18029
CLEANSTART-2026-BH97849
CLEANSTART-2026-BK28579
CLEANSTART-2026-BM53321
CLEANSTART-2026-BY59711
CLEANSTART-2026-CD13174
CLEANSTART-2026-CE02533
CLEANSTART-2026-CF63743
CLEANSTART-2026-CG86499
CLEANSTART-2026-CN84623
CLEANSTART-2026-CO68219
CLEANSTART-2026-CP95927
CLEANSTART-2026-CZ07385
CLEANSTART-2026-DA83816
CLEANSTART-2026-DB61851
CLEANSTART-2026-DM93480
CLEANSTART-2026-DO31246
CLEANSTART-2026-DP35743
CLEANSTART-2026-DQ17669
CLEANSTART-2026-EB74978
CLEANSTART-2026-EE52954
CLEANSTART-2026-EZ47382
CLEANSTART-2026-FB07695
CLEANSTART-2026-FR61696
CLEANSTART-2026-FR97108
CLEANSTART-2026-FU04414
CLEANSTART-2026-FZ55932
CLEANSTART-2026-GK29346
CLEANSTART-2026-GM18965
CLEANSTART-2026-GM63718
CLEANSTART-2026-GN18755
CLEANSTART-2026-GQ31133
CLEANSTART-2026-GU55430
CLEANSTART-2026-GY48351
CLEANSTART-2026-HA09227
CLEANSTART-2026-HK71313
CLEANSTART-2026-HM40094
CLEANSTART-2026-HQ88036
CLEANSTART-2026-HX97842
CLEANSTART-2026-IC68874
CLEANSTART-2026-ID24148
CLEANSTART-2026-IP72442
CLEANSTART-2026-IR69938
CLEANSTART-2026-IW23933
CLEANSTART-2026-JB52011
CLEANSTART-2026-JF28061
CLEANSTART-2026-JG61689
CLEANSTART-2026-JJ09127
CLEANSTART-2026-JK59495
CLEANSTART-2026-JY63371
CLEANSTART-2026-KA15295
CLEANSTART-2026-KC83705
CLEANSTART-2026-KT28044
CLEANSTART-2026-KU98579
CLEANSTART-2026-KW24478
CLEANSTART-2026-LB23787
CLEANSTART-2026-LC01167
CLEANSTART-2026-LD15132
CLEANSTART-2026-LI47669
CLEANSTART-2026-LP76319
CLEANSTART-2026-LS00044
CLEANSTART-2026-LS12576
CLEANSTART-2026-LS30652
CLEANSTART-2026-LY39171
CLEANSTART-2026-LY88807
CLEANSTART-2026-MA32024
CLEANSTART-2026-MI12470
CLEANSTART-2026-MJ07404
CLEANSTART-2026-ML41879
CLEANSTART-2026-MO53190
CLEANSTART-2026-MS81166
CLEANSTART-2026-MT27167
CLEANSTART-2026-MU81308
CLEANSTART-2026-NB78893
CLEANSTART-2026-NC32267
CLEANSTART-2026-NG28268
CLEANSTART-2026-NG75665
CLEANSTART-2026-NI04192
CLEANSTART-2026-NN77774
CLEANSTART-2026-NV37937
CLEANSTART-2026-NX54250
CLEANSTART-2026-NZ97711
CLEANSTART-2026-OJ21550
CLEANSTART-2026-OM95908
CLEANSTART-2026-OS42112
CLEANSTART-2026-OT38160
CLEANSTART-2026-OW78143
CLEANSTART-2026-PE63912
CLEANSTART-2026-PI36812
CLEANSTART-2026-PV93827
CLEANSTART-2026-PW57640
CLEANSTART-2026-QY63788
CVE-2026-33186
GHSA-P77J-4MVH-X3M3
GO-2026-4762
OESA-2026-1866
OESA-2026-1887
OPENSUSE-SU-2026:10407-1
OPENSUSE-SU-2026:10419-1
OPENSUSE-SU-2026:10420-1
OPENSUSE-SU-2026:10432-1
OPENSUSE-SU-2026:10474-1
OPENSUSE-SU-2026:10484-1
OPENSUSE-SU-2026:10523-1
OPENSUSE-SU-2026:10601-1
OPENSUSE-SU-2026:10612-1
OPENSUSE-SU-2026:10613-1
OPENSUSE-SU-2026:10618-1
OPENSUSE-SU-2026:10631-1
OPENSUSE-SU-2026:10651-1
OPENSUSE-SU-2026:10690-1
OPENSUSE-SU-2026:10700-1
OPENSUSE-SU-2026:10731-1
OPENSUSE-SU-2026:20555-1
OPENSUSE-SU-2026:20584-1
OPENSUSE-SU-2026:20603-1
OPENSUSE-SU-2026:20686-1
OPENSUSE-SU-2026:20702-1
RHSA-2026:10107
RHSA-2026:10705
RHSA-2026:10706
SUSE-SU-2026:1194-1
SUSE-SU-2026:1195-1
SUSE-SU-2026:1197-1
SUSE-SU-2026:1198-1
SUSE-SU-2026:1200-1
SUSE-SU-2026:1205-1
SUSE-SU-2026:1208-1
SUSE-SU-2026:1314-1
SUSE-SU-2026:1395-1
SUSE-SU-2026:1411-1
SUSE-SU-2026:1524-1
SUSE-SU-2026:21115-1
SUSE-SU-2026:21128-1
SUSE-SU-2026:21210-1
SUSE-SU-2026:21272-1
SUSE-SU-2026:21370-1
SUSE-SU-2026:21490-1
SUSE-SU-2026:21560-1

Affected Products

Grpc-Go