CVE-2026-48599

Name of the Vulnerable Software and Affected Versions elixir-grpc versions 0.8.0 through 0.9.x

Description Authenticated attackers can access or modify resources belonging to other users by smuggling a conflicting value for any path-bound field via the query string or request body. This occurs in the map request/5 function within Elixir.GRPC.Server.Transcode (lib/grpc/server/transcode.ex), where Map.merge/2 is used with path bindings as the first argument, granting them the lowest merge precedence. Consequently, a request such as 'GET /users/me/profile?user id=victim' or a POST request containing user id in the body results in a decoded protobuf struct where the path-bound field is overwritten by the attacker-supplied value. This allows the bypass of handlers using these fields for authorization, ownership checks, or multi-tenancy scoping. This issue requires HTTP-to-gRPC transcoding to be enabled.

Recommendations Update to version 1.0.0 or later.