gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, "deny" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback "allow" rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policy contains specific "deny" rules for canonical paths but allows other requests by default (a fallback "allow" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. The fix in version 1.79.3 ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy hardening.
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-33186.json
https://github.com/grpc/grpc-go/security/advisories/GHSA-p77j-4mvh-x3m3
https://bugzilla.redhat.com/show_bug.cgi?id=2449833
https://access.redhat.com/security/cve/CVE-2026-33186
https://access.redhat.com/errata/RHSA-2026:9872
https://access.redhat.com/errata/RHSA-2026:9453
https://access.redhat.com/errata/RHSA-2026:9448
https://access.redhat.com/errata/RHSA-2026:9440
https://access.redhat.com/errata/RHSA-2026:9388
https://access.redhat.com/errata/RHSA-2026:9385
https://access.redhat.com/errata/RHSA-2026:8493
https://access.redhat.com/errata/RHSA-2026:8491
https://access.redhat.com/errata/RHSA-2026:8490
https://access.redhat.com/errata/RHSA-2026:8484
https://access.redhat.com/errata/RHSA-2026:8483
https://access.redhat.com/errata/RHSA-2026:8449
https://access.redhat.com/errata/RHSA-2026:8433
https://access.redhat.com/errata/RHSA-2026:8338
https://access.redhat.com/errata/RHSA-2026:8151
https://access.redhat.com/errata/RHSA-2026:7245
https://access.redhat.com/errata/RHSA-2026:7128
https://access.redhat.com/errata/RHSA-2026:7110
https://access.redhat.com/errata/RHSA-2026:6802
https://access.redhat.com/errata/RHSA-2026:6564
https://access.redhat.com/errata/RHSA-2026:6428
https://access.redhat.com/errata/RHSA-2026:6174
https://access.redhat.com/errata/RHSA-2026:34364
https://access.redhat.com/errata/RHSA-2026:29854
https://access.redhat.com/errata/RHSA-2026:29082
https://access.redhat.com/errata/RHSA-2026:29079
https://access.redhat.com/errata/RHSA-2026:28964
https://access.redhat.com/errata/RHSA-2026:28893
https://access.redhat.com/errata/RHSA-2026:28047
https://access.redhat.com/errata/RHSA-2026:27957
https://access.redhat.com/errata/RHSA-2026:27901
https://access.redhat.com/errata/RHSA-2026:27893
https://access.redhat.com/errata/RHSA-2026:27892
https://access.redhat.com/errata/RHSA-2026:27856
https://access.redhat.com/errata/RHSA-2026:27712
https://access.redhat.com/errata/RHSA-2026:27076
https://access.redhat.com/errata/RHSA-2026:27063
https://access.redhat.com/errata/RHSA-2026:27004
https://access.redhat.com/errata/RHSA-2026:27001
https://access.redhat.com/errata/RHSA-2026:26999
https://access.redhat.com/errata/RHSA-2026:26997
https://access.redhat.com/errata/RHSA-2026:26568
https://access.redhat.com/errata/RHSA-2026:26519
https://access.redhat.com/errata/RHSA-2026:26420
https://access.redhat.com/errata/RHSA-2026:26416
https://access.redhat.com/errata/RHSA-2026:26413
https://access.redhat.com/errata/RHSA-2026:26412
https://access.redhat.com/errata/RHSA-2026:25201
https://access.redhat.com/errata/RHSA-2026:25195
https://access.redhat.com/errata/RHSA-2026:25194
https://access.redhat.com/errata/RHSA-2026:25187
https://access.redhat.com/errata/RHSA-2026:25183
https://access.redhat.com/errata/RHSA-2026:25182
https://access.redhat.com/errata/RHSA-2026:25127
https://access.redhat.com/errata/RHSA-2026:25045
https://access.redhat.com/errata/RHSA-2026:25009
https://access.redhat.com/errata/RHSA-2026:24977
https://access.redhat.com/errata/RHSA-2026:24853
https://access.redhat.com/errata/RHSA-2026:24759
https://access.redhat.com/errata/RHSA-2026:24536
https://access.redhat.com/errata/RHSA-2026:24535
https://access.redhat.com/errata/RHSA-2026:24506
https://access.redhat.com/errata/RHSA-2026:24484
https://access.redhat.com/errata/RHSA-2026:23345
https://access.redhat.com/errata/RHSA-2026:23247
https://access.redhat.com/errata/RHSA-2026:23246
https://access.redhat.com/errata/RHSA-2026:23241
https://access.redhat.com/errata/RHSA-2026:23235
https://access.redhat.com/errata/RHSA-2026:23234
https://access.redhat.com/errata/RHSA-2026:23228
https://access.redhat.com/errata/RHSA-2026:22961
https://access.redhat.com/errata/RHSA-2026:22959
https://access.redhat.com/errata/RHSA-2026:22937
https://access.redhat.com/errata/RHSA-2026:22800
https://access.redhat.com/errata/RHSA-2026:22714
https://access.redhat.com/errata/RHSA-2026:22689
https://access.redhat.com/errata/RHSA-2026:22645
https://access.redhat.com/errata/RHSA-2026:22485
https://access.redhat.com/errata/RHSA-2026:22465
https://access.redhat.com/errata/RHSA-2026:22450
https://access.redhat.com/errata/RHSA-2026:22423
https://access.redhat.com/errata/RHSA-2026:22347
https://access.redhat.com/errata/RHSA-2026:21932
https://access.redhat.com/errata/RHSA-2026:21931
https://access.redhat.com/errata/RHSA-2026:21769
https://access.redhat.com/errata/RHSA-2026:21710
https://access.redhat.com/errata/RHSA-2026:21709
https://access.redhat.com/errata/RHSA-2026:21704
https://access.redhat.com/errata/RHSA-2026:21703
https://access.redhat.com/errata/RHSA-2026:21697
https://access.redhat.com/errata/RHSA-2026:21696
https://access.redhat.com/errata/RHSA-2026:21692
https://access.redhat.com/errata/RHSA-2026:21691
https://access.redhat.com/errata/RHSA-2026:21658
https://access.redhat.com/errata/RHSA-2026:21657
https://access.redhat.com/errata/RHSA-2026:21017
https://access.redhat.com/errata/RHSA-2026:20946
https://access.redhat.com/errata/RHSA-2026:20943
https://access.redhat.com/errata/RHSA-2026:20436
https://access.redhat.com/errata/RHSA-2026:20322
https://access.redhat.com/errata/RHSA-2026:20089
https://access.redhat.com/errata/RHSA-2026:20088
https://access.redhat.com/errata/RHSA-2026:20042
https://access.redhat.com/errata/RHSA-2026:20041
https://access.redhat.com/errata/RHSA-2026:20035
https://access.redhat.com/errata/RHSA-2026:20034
https://access.redhat.com/errata/RHSA-2026:19721
https://access.redhat.com/errata/RHSA-2026:19720
https://access.redhat.com/errata/RHSA-2026:19719
https://access.redhat.com/errata/RHSA-2026:19712
https://access.redhat.com/errata/RHSA-2026:19375
https://access.redhat.com/errata/RHSA-2026:19353
https://access.redhat.com/errata/RHSA-2026:19207
https://access.redhat.com/errata/RHSA-2026:19135
https://access.redhat.com/errata/RHSA-2026:19109
https://access.redhat.com/errata/RHSA-2026:19108
https://access.redhat.com/errata/RHSA-2026:19099
https://access.redhat.com/errata/RHSA-2026:18585
https://access.redhat.com/errata/RHSA-2026:18068
https://access.redhat.com/errata/RHSA-2026:17789
https://access.redhat.com/errata/RHSA-2026:17599
https://access.redhat.com/errata/RHSA-2026:17598
https://access.redhat.com/errata/RHSA-2026:17475
https://access.redhat.com/errata/RHSA-2026:17474
https://access.redhat.com/errata/RHSA-2026:17468
https://access.redhat.com/errata/RHSA-2026:17459
https://access.redhat.com/errata/RHSA-2026:17448
https://access.redhat.com/errata/RHSA-2026:17123
https://access.redhat.com/errata/RHSA-2026:15092
https://access.redhat.com/errata/RHSA-2026:14775
https://access.redhat.com/errata/RHSA-2026:13829
https://access.redhat.com/errata/RHSA-2026:13791
https://access.redhat.com/errata/RHSA-2026:13548
https://access.redhat.com/errata/RHSA-2026:12337
https://access.redhat.com/errata/RHSA-2026:12283
https://access.redhat.com/errata/RHSA-2026:12279
https://access.redhat.com/errata/RHSA-2026:12277
https://access.redhat.com/errata/RHSA-2026:12119
https://access.redhat.com/errata/RHSA-2026:12118
https://access.redhat.com/errata/RHSA-2026:12116
https://access.redhat.com/errata/RHSA-2026:11996
https://access.redhat.com/errata/RHSA-2026:11916
https://access.redhat.com/errata/RHSA-2026:11856
https://access.redhat.com/errata/RHSA-2026:11803
https://access.redhat.com/errata/RHSA-2026:11408
https://access.redhat.com/errata/RHSA-2026:11070
https://access.redhat.com/errata/RHSA-2026:10706
https://access.redhat.com/errata/RHSA-2026:10705
https://access.redhat.com/errata/RHSA-2026:10698
https://access.redhat.com/errata/RHSA-2026:10175
https://access.redhat.com/errata/RHSA-2026:10172
https://access.redhat.com/errata/RHSA-2026:10158
https://access.redhat.com/errata/RHSA-2026:10155
https://access.redhat.com/errata/RHSA-2026:10153
https://access.redhat.com/errata/RHSA-2026:10131
https://access.redhat.com/errata/RHSA-2026:10130
https://access.redhat.com/errata/RHSA-2026:10126
https://access.redhat.com/errata/RHSA-2026:10125
https://access.redhat.com/errata/RHSA-2026:10107
https://access.redhat.com/errata/RHSA-2026:10105