CVE-2026-33186 Overview
CVE-2026-33186 is an authorization bypass vulnerability in gRPC-Go, the Go language implementation of gRPC. The vulnerability stems from improper input validation of the HTTP/2 :path pseudo-header, allowing attackers to bypass path-based authorization policies by sending malformed requests that omit the mandatory leading slash in the path.
Critical Impact
Attackers can bypass RBAC deny rules and gain unauthorized access to protected gRPC service methods by sending HTTP/2 requests with non-canonical paths, potentially leading to complete authorization policy bypass.
Affected Products
- gRPC-Go versions prior to 1.79.3
- Servers using path-based authorization interceptors (including google.golang.org/grpc/authz)
- Custom interceptors relying on info.FullMethod or grpc.Method(ctx)
Discovery Timeline
- 2026-03-20 - CVE CVE-2026-33186 published to NVD
- 2026-03-23 - Last updated in NVD database
Technical Details for CVE-2026-33186
Vulnerability Analysis
This authorization bypass vulnerability affects gRPC-Go servers that implement path-based authorization controls. The root issue lies in the server's overly permissive routing logic, which accepts HTTP/2 requests where the :path pseudo-header lacks the required leading slash. For example, a request with :path set to Service/Method instead of the canonical /Service/Method would still be successfully routed to the correct handler.
The security implication becomes apparent when authorization interceptors evaluate the incoming request. These interceptors, including the official RBAC implementation in google.golang.org/grpc/authz, compare the raw path string against configured policies. When a policy contains a deny rule for /Service/Method but the incoming request uses Service/Method, the rule fails to match. If a fallback "allow" rule exists in the policy, the request proceeds despite being intended to be blocked.
Root Cause
The vulnerability is classified under CWE-285 (Improper Authorization). The gRPC-Go server's routing mechanism was too lenient in its path validation, accepting non-canonical paths without the mandatory leading slash. This created a mismatch between how the server routed requests and how authorization interceptors evaluated path-based policies, leading to an authorization bypass condition.
Attack Vector
Exploitation requires an attacker capable of sending raw HTTP/2 frames directly to the gRPC server. By crafting HTTP/2 requests with malformed :path headers that omit the leading slash, an attacker can cause authorization interceptors to fail matching their deny rules. The attack is network-accessible and requires no authentication or user interaction to execute.
The attack flow proceeds as follows:
- Attacker identifies a protected gRPC service endpoint with path-based RBAC policies
- Attacker crafts an HTTP/2 request with a non-canonical :path (e.g., SecureService/AdminMethod instead of /SecureService/AdminMethod)
- The gRPC-Go server routes the request to the correct handler
- Authorization interceptors evaluate the raw path, failing to match deny rules configured with canonical paths
- If a fallback allow rule exists, the request bypasses authorization and reaches the protected handler
For detailed technical information, see the GitHub Security Advisory.
Detection Methods for CVE-2026-33186
Indicators of Compromise
- HTTP/2 requests to gRPC endpoints with :path pseudo-headers missing the leading slash character
- Unusual access patterns to restricted service methods from unauthorized clients
- Authorization interceptor logs showing requests that bypass expected deny rules
- Network traffic containing gRPC calls with non-canonical path formats
Detection Strategies
- Implement HTTP/2 frame inspection at the network layer to identify malformed :path pseudo-headers
- Enable verbose logging on gRPC authorization interceptors to capture the raw path values being evaluated
- Deploy intrusion detection rules that alert on :path values not starting with /
- Audit gRPC server access logs for successful calls to methods that should be denied by policy
Monitoring Recommendations
- Monitor gRPC server metrics for unexpected successful calls to restricted methods
- Implement real-time alerting for HTTP/2 frames with non-compliant :path formatting
- Review authorization interceptor logs regularly for policy bypass indicators
- Track authentication and authorization failure rates for anomalies that could indicate exploitation attempts
How to Mitigate CVE-2026-33186
Immediate Actions Required
- Upgrade gRPC-Go to version 1.79.3 or later immediately
- Audit existing RBAC policies for configurations with deny rules and fallback allow rules
- Implement a validating interceptor as an interim measure if immediate upgrade is not possible
- Review server logs for any evidence of prior exploitation attempts
Patch Information
The fix is available in gRPC-Go version 1.79.3. The patch ensures that any request with a :path that does not start with a leading slash is immediately rejected with a codes.Unimplemented error. This prevents malformed requests from reaching authorization interceptors or handlers with a non-canonical path string.
For more details, refer to the GitHub Security Advisory.
Workarounds
- Validating Interceptor (Recommended): Implement a custom unary and stream interceptor that validates the :path format and rejects requests missing the leading slash before they reach authorization logic
- Infrastructure-Level Normalization: Deploy a reverse proxy or load balancer that normalizes HTTP/2 :path pseudo-headers to ensure canonical formatting
- Policy Hardening: Update RBAC policies to include deny rules for both canonical (/Service/Method) and non-canonical (Service/Method) path variants
# Upgrade gRPC-Go to the patched version
go get google.golang.org/grpc@v1.79.3
# Verify the installed version
go list -m google.golang.org/grpc
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
