CVE-2026-33186

Name of the Vulnerable Software and Affected Versions gRPC-Go versions prior to 1.79.3

Description gRPC-Go is susceptible to an authorization bypass due to inadequate validation of the HTTP/2 :path pseudo-header. The server incorrectly routes requests lacking a leading slash in the :path (e.g., Service/Method instead of /Service/Method). While routing succeeds, authorization interceptors, including grpc/authz, evaluate the raw, non-canonical path. Consequently, "deny" rules for canonical paths are bypassed if a default "allow" rule exists. This is exploitable by attackers sending raw HTTP/2 frames with malformed :path headers. Recent observations indicate increased targeting of this vulnerability by malicious actors. The issue affects gRPC-Go servers utilizing path-based authorization interceptors, such as the official RBAC implementation or custom interceptors relying on info.FullMethod or grpc.Method(ctx), and those with security policies that deny specific canonical paths but allow other requests by default.

Recommendations Upgrade to version 1.79.3 or later. As a mitigation, implement a validating interceptor to check for a leading slash in the :path before any authorization logic. If using a reverse proxy or load balancer, configure it to enforce strict HTTP/2 compliance and reject or normalize requests with malformed :path headers. Harden security policies by switching to a "default deny" posture, explicitly listing allowed paths and denying all others.