CVE-2026-33186

critical

Description

gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, "deny" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback "allow" rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policy contains specific "deny" rules for canonical paths but allows other requests by default (a fallback "allow" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. The fix in version 1.79.3 ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy hardening.

References

https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-33186.json

https://github.com/grpc/grpc-go/security/advisories/GHSA-p77j-4mvh-x3m3

https://bugzilla.redhat.com/show_bug.cgi?id=2449833

https://access.redhat.com/security/cve/CVE-2026-33186

https://access.redhat.com/errata/RHSA-2026:9872

https://access.redhat.com/errata/RHSA-2026:9453

https://access.redhat.com/errata/RHSA-2026:9448

https://access.redhat.com/errata/RHSA-2026:9440

https://access.redhat.com/errata/RHSA-2026:9388

https://access.redhat.com/errata/RHSA-2026:9385

https://access.redhat.com/errata/RHSA-2026:8493

https://access.redhat.com/errata/RHSA-2026:8491

https://access.redhat.com/errata/RHSA-2026:8490

https://access.redhat.com/errata/RHSA-2026:8484

https://access.redhat.com/errata/RHSA-2026:8483

https://access.redhat.com/errata/RHSA-2026:8449

https://access.redhat.com/errata/RHSA-2026:8433

https://access.redhat.com/errata/RHSA-2026:8338

https://access.redhat.com/errata/RHSA-2026:8151

https://access.redhat.com/errata/RHSA-2026:7245

https://access.redhat.com/errata/RHSA-2026:7128

https://access.redhat.com/errata/RHSA-2026:7110

https://access.redhat.com/errata/RHSA-2026:6802

https://access.redhat.com/errata/RHSA-2026:6564

https://access.redhat.com/errata/RHSA-2026:6428

https://access.redhat.com/errata/RHSA-2026:6174

https://access.redhat.com/errata/RHSA-2026:34364

https://access.redhat.com/errata/RHSA-2026:29854

https://access.redhat.com/errata/RHSA-2026:29082

https://access.redhat.com/errata/RHSA-2026:29079

https://access.redhat.com/errata/RHSA-2026:28964

https://access.redhat.com/errata/RHSA-2026:28893

https://access.redhat.com/errata/RHSA-2026:28047

https://access.redhat.com/errata/RHSA-2026:27957

https://access.redhat.com/errata/RHSA-2026:27901

https://access.redhat.com/errata/RHSA-2026:27893

https://access.redhat.com/errata/RHSA-2026:27892

https://access.redhat.com/errata/RHSA-2026:27856

https://access.redhat.com/errata/RHSA-2026:27712

https://access.redhat.com/errata/RHSA-2026:27076

https://access.redhat.com/errata/RHSA-2026:27063

https://access.redhat.com/errata/RHSA-2026:27004

https://access.redhat.com/errata/RHSA-2026:27001

https://access.redhat.com/errata/RHSA-2026:26999

https://access.redhat.com/errata/RHSA-2026:26997

https://access.redhat.com/errata/RHSA-2026:26568

https://access.redhat.com/errata/RHSA-2026:26519

https://access.redhat.com/errata/RHSA-2026:26420

https://access.redhat.com/errata/RHSA-2026:26416

https://access.redhat.com/errata/RHSA-2026:26413

https://access.redhat.com/errata/RHSA-2026:26412

https://access.redhat.com/errata/RHSA-2026:25201

https://access.redhat.com/errata/RHSA-2026:25195

https://access.redhat.com/errata/RHSA-2026:25194

https://access.redhat.com/errata/RHSA-2026:25187

https://access.redhat.com/errata/RHSA-2026:25183

https://access.redhat.com/errata/RHSA-2026:25182

https://access.redhat.com/errata/RHSA-2026:25127

https://access.redhat.com/errata/RHSA-2026:25045

https://access.redhat.com/errata/RHSA-2026:25009

https://access.redhat.com/errata/RHSA-2026:24977

https://access.redhat.com/errata/RHSA-2026:24853

https://access.redhat.com/errata/RHSA-2026:24759

https://access.redhat.com/errata/RHSA-2026:24536

https://access.redhat.com/errata/RHSA-2026:24535

https://access.redhat.com/errata/RHSA-2026:24506

https://access.redhat.com/errata/RHSA-2026:24484

https://access.redhat.com/errata/RHSA-2026:23345

https://access.redhat.com/errata/RHSA-2026:23247

https://access.redhat.com/errata/RHSA-2026:23246

https://access.redhat.com/errata/RHSA-2026:23241

https://access.redhat.com/errata/RHSA-2026:23235

https://access.redhat.com/errata/RHSA-2026:23234

https://access.redhat.com/errata/RHSA-2026:23228

https://access.redhat.com/errata/RHSA-2026:22961

https://access.redhat.com/errata/RHSA-2026:22959

https://access.redhat.com/errata/RHSA-2026:22937

https://access.redhat.com/errata/RHSA-2026:22800

https://access.redhat.com/errata/RHSA-2026:22714

https://access.redhat.com/errata/RHSA-2026:22689

https://access.redhat.com/errata/RHSA-2026:22645

https://access.redhat.com/errata/RHSA-2026:22485

https://access.redhat.com/errata/RHSA-2026:22465

https://access.redhat.com/errata/RHSA-2026:22450

https://access.redhat.com/errata/RHSA-2026:22423

https://access.redhat.com/errata/RHSA-2026:22347

https://access.redhat.com/errata/RHSA-2026:21932

https://access.redhat.com/errata/RHSA-2026:21931

https://access.redhat.com/errata/RHSA-2026:21769

https://access.redhat.com/errata/RHSA-2026:21710

https://access.redhat.com/errata/RHSA-2026:21709

https://access.redhat.com/errata/RHSA-2026:21704

https://access.redhat.com/errata/RHSA-2026:21703

https://access.redhat.com/errata/RHSA-2026:21697

https://access.redhat.com/errata/RHSA-2026:21696

https://access.redhat.com/errata/RHSA-2026:21692

https://access.redhat.com/errata/RHSA-2026:21691

https://access.redhat.com/errata/RHSA-2026:21658

https://access.redhat.com/errata/RHSA-2026:21657

https://access.redhat.com/errata/RHSA-2026:21017

https://access.redhat.com/errata/RHSA-2026:20946

https://access.redhat.com/errata/RHSA-2026:20943

https://access.redhat.com/errata/RHSA-2026:20436

https://access.redhat.com/errata/RHSA-2026:20322

https://access.redhat.com/errata/RHSA-2026:20089

https://access.redhat.com/errata/RHSA-2026:20088

https://access.redhat.com/errata/RHSA-2026:20042

https://access.redhat.com/errata/RHSA-2026:20041

https://access.redhat.com/errata/RHSA-2026:20035

https://access.redhat.com/errata/RHSA-2026:20034

https://access.redhat.com/errata/RHSA-2026:19721

https://access.redhat.com/errata/RHSA-2026:19720

https://access.redhat.com/errata/RHSA-2026:19719

https://access.redhat.com/errata/RHSA-2026:19712

https://access.redhat.com/errata/RHSA-2026:19375

https://access.redhat.com/errata/RHSA-2026:19353

https://access.redhat.com/errata/RHSA-2026:19207

https://access.redhat.com/errata/RHSA-2026:19135

https://access.redhat.com/errata/RHSA-2026:19109

https://access.redhat.com/errata/RHSA-2026:19108

https://access.redhat.com/errata/RHSA-2026:19099

https://access.redhat.com/errata/RHSA-2026:18585

https://access.redhat.com/errata/RHSA-2026:18068

https://access.redhat.com/errata/RHSA-2026:17789

https://access.redhat.com/errata/RHSA-2026:17599

https://access.redhat.com/errata/RHSA-2026:17598

https://access.redhat.com/errata/RHSA-2026:17475

https://access.redhat.com/errata/RHSA-2026:17474

https://access.redhat.com/errata/RHSA-2026:17468

https://access.redhat.com/errata/RHSA-2026:17459

https://access.redhat.com/errata/RHSA-2026:17448

https://access.redhat.com/errata/RHSA-2026:17123

https://access.redhat.com/errata/RHSA-2026:15092

https://access.redhat.com/errata/RHSA-2026:14775

https://access.redhat.com/errata/RHSA-2026:13829

https://access.redhat.com/errata/RHSA-2026:13791

https://access.redhat.com/errata/RHSA-2026:13548

https://access.redhat.com/errata/RHSA-2026:12337

https://access.redhat.com/errata/RHSA-2026:12283

https://access.redhat.com/errata/RHSA-2026:12279

https://access.redhat.com/errata/RHSA-2026:12277

https://access.redhat.com/errata/RHSA-2026:12119

https://access.redhat.com/errata/RHSA-2026:12118

https://access.redhat.com/errata/RHSA-2026:12116

https://access.redhat.com/errata/RHSA-2026:11996

https://access.redhat.com/errata/RHSA-2026:11916

https://access.redhat.com/errata/RHSA-2026:11856

https://access.redhat.com/errata/RHSA-2026:11803

https://access.redhat.com/errata/RHSA-2026:11408

https://access.redhat.com/errata/RHSA-2026:11070

https://access.redhat.com/errata/RHSA-2026:10706

https://access.redhat.com/errata/RHSA-2026:10705

https://access.redhat.com/errata/RHSA-2026:10698

https://access.redhat.com/errata/RHSA-2026:10175

https://access.redhat.com/errata/RHSA-2026:10172

https://access.redhat.com/errata/RHSA-2026:10158

https://access.redhat.com/errata/RHSA-2026:10155

https://access.redhat.com/errata/RHSA-2026:10153

https://access.redhat.com/errata/RHSA-2026:10131

https://access.redhat.com/errata/RHSA-2026:10130

https://access.redhat.com/errata/RHSA-2026:10126

https://access.redhat.com/errata/RHSA-2026:10125

https://access.redhat.com/errata/RHSA-2026:10107

https://access.redhat.com/errata/RHSA-2026:10105

https://access.redhat.com/errata/RHSA-2026:10094

https://access.redhat.com/errata/RHSA-2026:10093

Details

Source: Mitre, NVD

Published: 2026-03-20

Updated: 2026-07-02

Risk Information

CVSS v2

Base Score: 9.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:N

Severity: High

CVSS v3

Base Score: 9.1

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Severity: Critical

EPSS

EPSS: 0.00013