FixVibe
Research notecritical

Authorization Bypass in gRPC-Go via HTTP/2 :path Pseudo-Header (CVE-2026-33186)

A critical vulnerability in gRPC-Go (CVE-2026-33186) allows attackers to bypass authorization checks. The server's routing logic was too lenient when processing HTTP/2 requests where the ':path' pseudo-header was omitted or malformed, potentially allowing unauthorized access to gRPC services.

CVE-2026-33186CWE-285

Impact

An attacker can bypass authorization mechanisms to access restricted gRPC services and methods [S1]. This could lead to unauthorized data access, modification, or execution of administrative functions depending on the exposed gRPC service [S1].

Root Cause

The root cause is improper input validation of the HTTP/2 :path pseudo-header in the gRPC-Go server implementation [S1]. In versions prior to 1.79.3, the server's routing logic was overly lenient [S1]. Specifically, it failed to correctly handle or reject requests where the :path header was omitted, leading to incorrect routing decisions that bypassed security interceptors or authorization checks [S1].

Technical Details

gRPC relies on the HTTP/2 protocol, where the :path pseudo-header typically contains the service and method name [S1]. Authorization plugins and interceptors often use this path to determine if a user has the required permissions [S1]. By crafting a request that exploits the server's leniency in validating this header, an attacker can cause the server to process a request that should have been blocked by the authorization layer [S1].

How FixVibe could detect it

FixVibe could detect this vulnerability through its active probing engine by performing the following checks:

  • Version Fingerprinting: Identifying the gRPC-Go server version via analysis of response behaviors [S1].
  • Malformed HTTP/2 Probes: Sending specially crafted HTTP/2 frames to the gRPC endpoint that omit the :path pseudo-header to observe if the server incorrectly routes the request [S1].
  • Dependency Scanning: Identifying vulnerable versions of google.golang.org/grpc in project manifest files [S1].

Fix

Update gRPC-Go to version 1.79.3 or later to ensure proper validation of HTTP/2 pseudo-headers and correct routing logic [S1].

Authorization Bypass in gRPC-Go via HTTP/2 :path Pseudo-Header (CVE-2026-33186) β€” FixVibe research Β· FixVibe