VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-mhf1-8kyt-pbbx

Essentials
Severities (25)
References (63)
Severity details (10)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-mhf1-8kyt-pbbx
Aliases	CVE-2026-33186 GHSA-p77j-4mvh-x3m3
Summary	gRPC-Go has an authorization bypass via missing leading slash in :path ### Impact _What kind of vulnerability is it? Who is impacted?_ It is an Authorization Bypass resulting from Improper Input Validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, "deny" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback "allow" rule was present. Who is impacted? This affects gRPC-Go servers that meet both of the following criteria: 1. They use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`. 2. Their security policy contains specific "deny" rules for canonical paths but allows other requests by default (a fallback "allow" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. ### Patches _Has the problem been patched? What versions should users upgrade to?_ Yes, the issue has been patched. The fix ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. Users should upgrade to the following versions (or newer): * v1.79.3 * The latest master branch. It is recommended that all users employing path-based authorization (especially `grpc/authz`) upgrade as soon as the patch is available in a tagged release. ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: #### 1. Use a Validating Interceptor (Recommended Mitigation) Add an "outermost" interceptor to your server that validates the path before any other authorization logic runs: ```go func pathValidationInterceptor(ctx context.Context, req any, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (any, error) { if info.FullMethod == "" \|\| info.FullMethod[0] != '/' { return nil, status.Errorf(codes.Unimplemented, "malformed method name") } return handler(ctx, req) } // Ensure this is the FIRST interceptor in your chain s := grpc.NewServer( grpc.ChainUnaryInterceptor(pathValidationInterceptor, authzInterceptor), ) ``` #### 2. Infrastructure-Level Normalization If your gRPC server is behind a reverse proxy or load balancer (such as Envoy, NGINX, or an L7 Cloud Load Balancer), ensure it is configured to enforce strict HTTP/2 compliance for pseudo-headers and reject or normalize requests where the `:path` header does not start with a leading slash. #### 3. Policy Hardening Switch to a "default deny" posture in your authorization policies (explicitly listing all allowed paths and denying everything else) to reduce the risk of bypasses via malformed inputs.
Status	Published
Exploitability	0.5
Weighted Severity	9.0
Risk	4.5
Affected and Fixed Packages	Package Details

Weaknesses (2)

CWE-285	Improper Authorization
CWE-551	Incorrect Behavior Order: Authorization Before Parsing and Canonicalization

System	Score	Found at
cvssv3	8.1	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33186.json
cvssv3	9.1	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33186.json
epss	0.00014	https://api.first.org/data/v1/epss?cve=CVE-2026-33186
epss	0.00014	https://api.first.org/data/v1/epss?cve=CVE-2026-33186
epss	0.00014	https://api.first.org/data/v1/epss?cve=CVE-2026-33186
epss	0.00014	https://api.first.org/data/v1/epss?cve=CVE-2026-33186
epss	0.00014	https://api.first.org/data/v1/epss?cve=CVE-2026-33186
epss	0.00016	https://api.first.org/data/v1/epss?cve=CVE-2026-33186
epss	0.00016	https://api.first.org/data/v1/epss?cve=CVE-2026-33186
epss	0.00016	https://api.first.org/data/v1/epss?cve=CVE-2026-33186
epss	0.00016	https://api.first.org/data/v1/epss?cve=CVE-2026-33186
epss	0.00016	https://api.first.org/data/v1/epss?cve=CVE-2026-33186
epss	0.0002	https://api.first.org/data/v1/epss?cve=CVE-2026-33186
epss	0.0002	https://api.first.org/data/v1/epss?cve=CVE-2026-33186
epss	0.0002	https://api.first.org/data/v1/epss?cve=CVE-2026-33186
epss	0.00023	https://api.first.org/data/v1/epss?cve=CVE-2026-33186
epss	0.00023	https://api.first.org/data/v1/epss?cve=CVE-2026-33186
cvssv3.1	8.1	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1	9.1	https://github.com/grpc/grpc-go
generic_textual	CRITICAL	https://github.com/grpc/grpc-go
cvssv3.1	9.1	https://github.com/grpc/grpc-go/security/advisories/GHSA-p77j-4mvh-x3m3
generic_textual	CRITICAL	https://github.com/grpc/grpc-go/security/advisories/GHSA-p77j-4mvh-x3m3
ssvc	Track	https://github.com/grpc/grpc-go/security/advisories/GHSA-p77j-4mvh-x3m3
cvssv3.1	9.1	https://nvd.nist.gov/vuln/detail/CVE-2026-33186
generic_textual	CRITICAL	https://nvd.nist.gov/vuln/detail/CVE-2026-33186

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33186.json
		https://api.first.org/data/v1/epss?cve=CVE-2026-33186
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33186
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
		https://github.com/grpc/grpc-go
		https://github.com/grpc/grpc-go/security/advisories/GHSA-p77j-4mvh-x3m3
		https://nvd.nist.gov/vuln/detail/CVE-2026-33186
1132228		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132228
2449833		https://bugzilla.redhat.com/show_bug.cgi?id=2449833
RHSA-2026:10093		https://access.redhat.com/errata/RHSA-2026:10093
RHSA-2026:10094		https://access.redhat.com/errata/RHSA-2026:10094
RHSA-2026:10105		https://access.redhat.com/errata/RHSA-2026:10105
RHSA-2026:10107		https://access.redhat.com/errata/RHSA-2026:10107
RHSA-2026:10125		https://access.redhat.com/errata/RHSA-2026:10125
RHSA-2026:10126		https://access.redhat.com/errata/RHSA-2026:10126
RHSA-2026:10130		https://access.redhat.com/errata/RHSA-2026:10130
RHSA-2026:10131		https://access.redhat.com/errata/RHSA-2026:10131
RHSA-2026:10153		https://access.redhat.com/errata/RHSA-2026:10153
RHSA-2026:10155		https://access.redhat.com/errata/RHSA-2026:10155
RHSA-2026:10158		https://access.redhat.com/errata/RHSA-2026:10158
RHSA-2026:10172		https://access.redhat.com/errata/RHSA-2026:10172
RHSA-2026:10175		https://access.redhat.com/errata/RHSA-2026:10175
RHSA-2026:10698		https://access.redhat.com/errata/RHSA-2026:10698
RHSA-2026:10705		https://access.redhat.com/errata/RHSA-2026:10705
RHSA-2026:10706		https://access.redhat.com/errata/RHSA-2026:10706
RHSA-2026:11070		https://access.redhat.com/errata/RHSA-2026:11070
RHSA-2026:11217		https://access.redhat.com/errata/RHSA-2026:11217
RHSA-2026:11330		https://access.redhat.com/errata/RHSA-2026:11330
RHSA-2026:11331		https://access.redhat.com/errata/RHSA-2026:11331
RHSA-2026:11408		https://access.redhat.com/errata/RHSA-2026:11408
RHSA-2026:11803		https://access.redhat.com/errata/RHSA-2026:11803
RHSA-2026:11856		https://access.redhat.com/errata/RHSA-2026:11856
RHSA-2026:11916		https://access.redhat.com/errata/RHSA-2026:11916
RHSA-2026:11996		https://access.redhat.com/errata/RHSA-2026:11996
RHSA-2026:12116		https://access.redhat.com/errata/RHSA-2026:12116
RHSA-2026:12277		https://access.redhat.com/errata/RHSA-2026:12277
RHSA-2026:12279		https://access.redhat.com/errata/RHSA-2026:12279
RHSA-2026:12337		https://access.redhat.com/errata/RHSA-2026:12337
RHSA-2026:13548		https://access.redhat.com/errata/RHSA-2026:13548
RHSA-2026:13791		https://access.redhat.com/errata/RHSA-2026:13791
RHSA-2026:13829		https://access.redhat.com/errata/RHSA-2026:13829
RHSA-2026:6174		https://access.redhat.com/errata/RHSA-2026:6174
RHSA-2026:6428		https://access.redhat.com/errata/RHSA-2026:6428
RHSA-2026:6564		https://access.redhat.com/errata/RHSA-2026:6564
RHSA-2026:6802		https://access.redhat.com/errata/RHSA-2026:6802
RHSA-2026:7110		https://access.redhat.com/errata/RHSA-2026:7110
RHSA-2026:7128		https://access.redhat.com/errata/RHSA-2026:7128
RHSA-2026:7245		https://access.redhat.com/errata/RHSA-2026:7245
RHSA-2026:8151		https://access.redhat.com/errata/RHSA-2026:8151
RHSA-2026:8338		https://access.redhat.com/errata/RHSA-2026:8338
RHSA-2026:8433		https://access.redhat.com/errata/RHSA-2026:8433
RHSA-2026:8449		https://access.redhat.com/errata/RHSA-2026:8449
RHSA-2026:8483		https://access.redhat.com/errata/RHSA-2026:8483
RHSA-2026:8484		https://access.redhat.com/errata/RHSA-2026:8484
RHSA-2026:8490		https://access.redhat.com/errata/RHSA-2026:8490
RHSA-2026:8491		https://access.redhat.com/errata/RHSA-2026:8491
RHSA-2026:8493		https://access.redhat.com/errata/RHSA-2026:8493
RHSA-2026:9385		https://access.redhat.com/errata/RHSA-2026:9385
RHSA-2026:9388		https://access.redhat.com/errata/RHSA-2026:9388
RHSA-2026:9440		https://access.redhat.com/errata/RHSA-2026:9440
RHSA-2026:9448		https://access.redhat.com/errata/RHSA-2026:9448
RHSA-2026:9453		https://access.redhat.com/errata/RHSA-2026:9453
RHSA-2026:9872		https://access.redhat.com/errata/RHSA-2026:9872

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33186.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33186.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://github.com/grpc/grpc-go

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://github.com/grpc/grpc-go/security/advisories/GHSA-p77j-4mvh-x3m3

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:08:38Z/ Found at https://github.com/grpc/grpc-go/security/advisories/GHSA-p77j-4mvh-x3m3

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-33186

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.02565
EPSS Score	0.00014
Published At	April 2, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-04-01T12:53:29.139613+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-p77j-4mvh-x3m3/GHSA-p77j-4mvh-x3m3.json	38.0.0