Impact
The vulnerability arises from a merge‑precedence bug in the HTTP transcoding module of elixir‑grpc. All clauses use Map.merge/2 with path bindings as the first argument, giving them the lowest merge precedence. As a result, a request such as GET /users/me/profile?user_id=victim (or a POST with {"user_id": "victim"}) produces a decoded protobuf struct where the attacker‑supplied user_id replaces the router‑extracted value. Handlers that use this field for authorization or ownership checks are silently bypassed, allowing an authenticated attacker to access or modify another user’s resources. This flaw is classified as CWE‑639.
Affected Systems
Affected products are elixir‑grpc grpc, versions 0.8.0 up to but excluding 1.0.0. Any deployment that employs HTTP transcoding and relies on path‑bound fields for access control is vulnerable.
Risk and Exploitability
The CVSS score of 7.6 indicates a high‑severity issue, while the EPSS score of <1% shows low but non‑zero exploitation probability. The defect permits exploitation by any authenticated user through a standard HTTP request, so the attack vector is inferred to be a conventional REST call with malicious query or body parameters. The vulnerability is not listed in the CISA KEV catalog, but the impact warrants prompt remediation.
OpenCVE Enrichment