RSS

Golang gRPC – CVE-2026-33186 Detail

vismit20001 pts0 comments

NVD - CVE-2026-33186

Official websites use .gov

A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS

A lock () or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Information Technology Laboratory

National Vulnerability Database

National Vulnerability Database

NVD

Vulnerabilities

CVE-2026-33186<br>Detail

Description

gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, "deny" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback "allow" rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policy contains specific "deny" rules for canonical paths but allows other requests by default (a fallback "allow" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. The fix in version 1.79.3 ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy hardening.

Metrics

&ensp;

CVSS Version 4.0

CVSS Version 3.x

CVSS Version 2.0

NVD enrichment efforts reference publicly available information to associate<br>vector strings. CVSS information contributed by other sources is also<br>displayed.

CVSS 4.0 Severity and Vector Strings:

NIST: NVD

N/A

NVD assessment<br>not yet provided.

CVSS 3.x Severity and Vector Strings:

NIST: NVD

Base<br>Score: N/A

NVD assessment<br>not yet provided.

CNA: GitHub, Inc.

Base<br>Score: 9.1 CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N<br>CVSS v3.1 Severity and Metrics: Base Score: 9.1 CRITICAL Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Impact Score: 5.2 Exploitability Score: 3.9 Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None Scope (S): Unchanged Confidentiality (C): High Integrity (I): High Availability (A): None "/>

-->

-->

CVSS 2.0 Severity and Vector Strings:

NIST: NVD

Base<br>Score: N/A

NVD assessment<br>not yet provided.

-->

-->

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace.<br>We have provided these links to other web sites because they<br>may have information that would be of interest to you. No<br>inferences should be drawn on account of other sites being<br>referenced, or not, from this page. There may be other web<br>sites that are more appropriate for your purpose. NIST does<br>not necessarily endorse the views expressed, or concur with<br>the facts presented on these sites. Further, NIST does not<br>endorse any commercial products that may be mentioned on<br>these sites. Please address comments about this page to [email protected].

URL<br>Source(s)<br>Tag(s)

https://github.com/grpc/grpc-go/security/advisories/GHSA-p77j-4mvh-x3m3

GitHub, Inc.

Mitigation

Vendor Advisory

Weakness Enumeration

CWE-ID<br>CWE Name<br>Source

CWE-285

Improper Authorization

GitHub, Inc.

Known Affected Software Configurations Switch<br>to CPE 2.2

CPEs loading, please wait.

Denotes Vulnerable Software

Are we missing a CPE here? Please let us know.

Change History

2 change records found show changes

Initial Analysis by NIST 4/10/2026 4:49:17 PM

Action<br>Type<br>Old Value<br>New Value

Added<br>CPE Configuration

OR<br>*cpe:2.3:a:grpc:grpc:*:*:*:*:*:go:*:* versions up to (excluding) 1.79.3

Added<br>Reference Type

GitHub, Inc.: https://github.com/grpc/grpc-go/security/advisories/GHSA-p77j-4mvh-x3m3 Types: Mitigation, Vendor Advisory

New CVE Received from GitHub, Inc. 3/20/2026 7:16:45 PM

Action<br>Type<br>Old Value<br>New Value

Added<br>Description

gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in...

grpc path cvss vector nist github

Related Articles

Elevated error rates on requests to multiple models

recroad9 ptsclaude incident islands rates elevated error

Donald Trump and sons to be 'forever' exempt from tax audits

doener9 ptsdigital access newsletters premium financial times

PopuLoRA: Co-Evolving LLM Populations for Reasoning Self- Play

AMavorParker8 ptstasks model training self populora play

Old Reddit Is Down

Crunsher7 ptsdata autoplay videoplayerelement comments function false

The ultimate female fantasy – A feminist critique of Beauty and the Beast

muge6 ptsbeast story paglia beauty older butler
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.