Description
Authorization Bypass Through User-Controlled Key vulnerability in elixir-grpc grpc allows authenticated attackers to access or modify resources belonging to other users by smuggling a conflicting value for any path-bound field via the query string or request body.

In 'Elixir.GRPC.Server.Transcode':map_request/5 (lib/grpc/server/transcode.ex), all three clauses use Map.merge/2 with path bindings as the first argument, giving them the lowest merge precedence. A request such as GET /users/me/profile?user_id=victim (or a POST with {"user_id": "victim"} when body: "*") yields a decoded protobuf struct where the path-bound field carries the attacker-supplied value rather than the router-extracted value. Any handler that uses the path-bound field for authorization, multi-tenancy scoping, or ownership checks is silently bypassed.

This issue affects grpc from 0.8.0 before 1.0.0.
Published: 2026-06-15
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from a merge‑precedence bug in the HTTP transcoding module of elixir‑grpc. All clauses use Map.merge/2 with path bindings as the first argument, giving them the lowest merge precedence. As a result, a request such as GET /users/me/profile?user_id=victim (or a POST with {"user_id": "victim"}) produces a decoded protobuf struct where the attacker‑supplied user_id replaces the router‑extracted value. Handlers that use this field for authorization or ownership checks are silently bypassed, allowing an authenticated attacker to access or modify another user’s resources. This flaw is classified as CWE‑639.

Affected Systems

Affected products are elixir‑grpc grpc, versions 0.8.0 up to but excluding 1.0.0. Any deployment that employs HTTP transcoding and relies on path‑bound fields for access control is vulnerable.

Risk and Exploitability

The CVSS score of 7.6 indicates a high‑severity issue, while the EPSS score of <1% shows low but non‑zero exploitation probability. The defect permits exploitation by any authenticated user through a standard HTTP request, so the attack vector is inferred to be a conventional REST call with malicious query or body parameters. The vulnerability is not listed in the CISA KEV catalog, but the impact warrants prompt remediation.

Generated by OpenCVE AI on June 17, 2026 at 22:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade grpc to version 1.0.0 or later, which removes the merge precedence bug.
  • If an upgrade is not immediately possible, adjust the server‑binding logic to ignore user‑supplied values for path‑bound fields or validate that the router‑extracted value takes precedence.
  • Review all authorization and tenancy checks to ensure they do not rely solely on the value of a path‑bound field; enforce identity verification against the authenticated user before granting access.

Generated by OpenCVE AI on June 17, 2026 at 22:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Description Authorization Bypass Through User-Controlled Key vulnerability in elixir-grpc grpc allows authenticated attackers to access or modify resources belonging to other users by smuggling a conflicting value for any path-bound field via the query string or request body. In 'Elixir.GRPC.Server.Transcode':map_request/5 (lib/grpc/server/transcode.ex), all three clauses use Map.merge/2 with path bindings as the first argument, giving them the lowest merge precedence. A request such as GET /users/me/profile?user_id=victim (or a POST with {"user_id": "victim"} when body: "*") yields a decoded protobuf struct where the path-bound field carries the attacker-supplied value rather than the router-extracted value. Any handler that uses the path-bound field for authorization, multi-tenancy scoping, or ownership checks is silently bypassed. This issue affects grpc from 0.8.0 before 1.0.0.
Title Authorization bypass via path binding override in elixir-grpc/grpc HTTP transcoding
First Time appeared Elixir-grpc
Elixir-grpc grpc
Weaknesses CWE-639
CPEs cpe:2.3:a:elixir-grpc:grpc:*:*:*:*:*:*:*:*
Vendors & Products Elixir-grpc
Elixir-grpc grpc
References
Metrics cvssV4_0

{'score': 7.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

Elixir-grpc Grpc
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-06-17T04:46:32.876Z

Reserved: 2026-05-22T09:36:56.834Z

Link: CVE-2026-48599

cve-icon Vulnrichment

Updated: 2026-06-16T14:46:05.524Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T23:16:45.377

Modified: 2026-06-16T15:35:16.600

Link: CVE-2026-48599

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T23:00:14Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key