Description
gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, "deny" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback "allow" rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policy contains specific "deny" rules for canonical paths but allows other requests by default (a fallback "allow" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. The fix in version 1.79.3 ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy hardening.
Published: 2026-03-20
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Authorization Bypass via Non‑Canonical Path
Action: Immediate Patch
AI Analysis

Impact

Older versions of the Go gRPC library accept HTTP/2 requests whose :path pseudo‑header lacks the required leading slash. The server routes the non‑canonical path to the intended handler, but authorization interceptors evaluate the raw path. Because deny rules are defined with canonical paths starting with \/, these rules do not match, allowing the request to slip through when the policy falls back to a generic allow. The result is a direct bypass of application‑level access controls, enabling an attacker to invoke privileged methods and leak or alter data. This issue maps to authorization weaknesses (CWE‑285) and path manipulation (CWE‑551).

Affected Systems

Any service built with gRPC-Go prior to release 1.79.3 is affected, especially servers that employ path‑based authorization through the official \/google.golang.org/grpc/authz package or custom interceptors that rely on the raw \/info.FullMethod values. The vulnerability exists in the server routing component, so it applies to all deployments of the Go gRPC server that do not validate the :path header before policy enforcement.

Risk and Exploitability

The CVSS score of 9.1 indicates critical severity; EPSS is below 1% and the vulnerability is not listed in the CISA KEV catalog, suggesting a modest public exploitation probability. Exploitation requires the attacker to be able to send raw HTTP/2 frames directly to the gRPC endpoint, meaning the service must be reachable at the transport level. Once the request reaches the server, the missing slash bypass can be triggered automatically, and the policy rules cannot block the call. Attackers with network access to the service can therefore exploit the flaw to compromise confidentiality or integrity of the data handled by the over‑privileged methods. The risk is elevated for services without a stricter access control policy or protecting the gRPC port behind a firewall.

Generated by OpenCVE AI on April 10, 2026 at 22:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the gRPC-Go library to version 1.79.3 or newer so that requests with a non‑canonical \/path are rejected immediately.
  • If an upgrade is not possible, add a validating interceptor that checks that the :path string begins with a leading slash before the authorization logic runs.
  • Consider normalizing incoming paths at the network or proxy layer so that the gRPC server always receives a canonical \/path.
  • Revisit the access control policy to remove a generic allow rule and enforce explicit deny rules for critical methods.

Generated by OpenCVE AI on April 10, 2026 at 22:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-p77j-4mvh-x3m3 gRPC-Go has an authorization bypass via missing leading slash in :path
History

Fri, 10 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Grpc grpc
CPEs cpe:2.3:a:grpc:grpc:*:*:*:*:*:go:*:*
Vendors & Products Grpc grpc

Tue, 24 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-551
References
Metrics threat_severity

None

 threat_severity

Important

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Grpc
Grpc grpc-go
Vendors & Products Grpc
Grpc grpc-go

Fri, 20 Mar 2026 22:30:00 +0000

Type Values Removed Values Added
Description gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, "deny" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback "allow" rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policy contains specific "deny" rules for canonical paths but allows other requests by default (a fallback "allow" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. The fix in version 1.79.3 ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy hardening.
Title gRPC-Go has an authorization bypass via missing leading slash in :path
Weaknesses CWE-285
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Grpc Grpc Grpc-go
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-24T18:09:13.422Z

Reserved: 2026-03-17T22:16:36.720Z

Link: CVE-2026-33186

cve-icon Vulnrichment

Updated: 2026-03-24T18:09:03.096Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T23:16:45.180

Modified: 2026-04-10T20:49:17.737

Link: CVE-2026-33186

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-20T22:23:32Z

Links: CVE-2026-33186 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T14:28:24Z

Weaknesses