Description
gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, "deny" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback "allow" rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policy contains specific "deny" rules for canonical paths but allows other requests by default (a fallback "allow" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. The fix in version 1.79.3 ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy hardening.
Published: 2026-03-20
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Authorization bypass enabling unauthorized access to gRPC methods
Action: Immediate Patch
AI Analysis

Impact

gRPC-Go versions before 1.79.3 accept HTTP/2 requests whose :path pseudo-header lacks the required leading slash, such as Service/Method. The server routes these non‑canonical paths to the correct handler but authorization interceptors evaluate the raw path string. As a result, deny rules that match canonical paths such as /Service/Method do not match the malformed request, and a fallback allow rule grants access. This flaw is a direct authorization bypass that can expose confidential data or perform privileged operations that are otherwise restricted.

Affected Systems

The vulnerability affects any grpc-go server running a version older than 1.79.3 that relies on path‑based authorization, including the official grpc/authz RBAC implementation or custom interceptors that use info.FullMethod or grpc.Method(ctx). No other protocols or unrelated products are impacted.

Risk and Exploitability

The CVSS base score of 9.1 reflects the high severity of this flaw. The EPSS score is below 1 %, indicating a low probability of exploitation in the wild, and the vulnerability is not listed in CISA’s KEV catalog. An attacker can exploit it remotely by sending raw HTTP/2 frames with a malformed :path header directly to the gRPC server. If the server’s firewall or load balancer permits such traffic, the attacker can bypass authorization checks and invoke restricted RPCs. The impact is limited to the services exposed by the gRPC server, but the consequences are significant for sensitive or privileged operations.

Generated by OpenCVE AI on March 23, 2026 at 13:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update grpc-go to version 1.79.3 or newer.
  • Add a validating interceptor that rejects non‑canonical :path values before reaching authorization logic (recommended).
  • Normalize :path headers at the infrastructure level to enforce a leading slash.
  • Re‑evaluate and harden policies to avoid fallback allow rules or to explicitly deny non‑canonical paths.
  • Monitor gateway logs for malformed :path requests and set alerting thresholds.

Generated by OpenCVE AI on March 23, 2026 at 13:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-p77j-4mvh-x3m3 gRPC-Go has an authorization bypass via missing leading slash in :path
History

Fri, 10 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Grpc grpc
CPEs cpe:2.3:a:grpc:grpc:*:*:*:*:*:go:*:*
Vendors & Products Grpc grpc

Tue, 24 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-551
References
Metrics threat_severity

None

 threat_severity

Important

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Grpc
Grpc grpc-go
Vendors & Products Grpc
Grpc grpc-go

Fri, 20 Mar 2026 22:30:00 +0000

Type Values Removed Values Added
Description gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, "deny" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback "allow" rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policy contains specific "deny" rules for canonical paths but allows other requests by default (a fallback "allow" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. The fix in version 1.79.3 ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy hardening.
Title gRPC-Go has an authorization bypass via missing leading slash in :path
Weaknesses CWE-285
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Grpc Grpc Grpc-go
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-24T18:09:13.422Z

Reserved: 2026-03-17T22:16:36.720Z

Link: CVE-2026-33186

cve-icon Vulnrichment

Updated: 2026-03-24T18:09:03.096Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T23:16:45.180

Modified: 2026-04-10T20:49:17.737

Link: CVE-2026-33186

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-20T22:23:32Z

Links: CVE-2026-33186 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:34:21Z

Weaknesses