Cyber Posture

CVE-2026-33186

Critical

Published: 20 March 2026

Published
20 March 2026
Modified
10 April 2026
KEV Added
Patch
CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0002 5.5th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-33186 is a critical-severity Improper Authorization (CWE-285) vulnerability in Grpc Grpc. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly addresses the improper input validation of HTTP/2 :path pseudo-headers by requiring validation mechanisms to reject non-canonical paths lacking a leading slash before they reach authorization logic.

AC-3 Access Enforcement good match
prevent

Enforces approved authorizations for access, mitigating the bypass where malformed paths evade matching deny rules in path-based authorization interceptors.

SI-2 Flaw Remediation good match
prevent

Requires timely flaw remediation, such as upgrading gRPC-Go to version 1.79.3, to eliminate the specific authorization bypass vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Authorization bypass in network-accessible gRPC-Go server via malformed HTTP/2 :path directly enables T1190 to obtain unauthorized access to protected methods.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the…

more

`:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, "deny" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback "allow" rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policy contains specific "deny" rules for canonical paths but allows other requests by default (a fallback "allow" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. The fix in version 1.79.3 ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy hardening.

Deeper analysisAI

CVE-2026-33186 is an authorization bypass vulnerability in gRPC-Go, the Go language implementation of gRPC, affecting versions prior to 1.79.3. The issue stems from improper input validation of the HTTP/2 `:path` pseudo-header, where the server accepts requests with paths omitting the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server routes these to the correct handler, authorization interceptors, such as the official `grpc/authz` package or custom ones relying on `info.FullMethod` or `grpc.Method(ctx)`, evaluate the raw non-canonical path. This prevents "deny" rules defined for canonical paths (starting with `/`) from matching, allowing bypass if a fallback "allow" rule exists. It impacts gRPC-Go servers using path-based authorization with such policies.

Any network-accessible attacker can exploit this by sending raw HTTP/2 frames with a malformed `:path` header lacking the leading slash, requiring no privileges (AV:N/AC:L/PR:N). Successful exploitation bypasses authorization checks, granting unauthorized access to protected methods and enabling high confidentiality and integrity impacts (CVSS 9.1: C:H/I:H/A:N), mapped to CWE-285 (Improper Authorization).

The advisory at https://github.com/grpc/grpc-go/security/advisories/GHSA-p77j-4mvh-x3m3 details the fix in version 1.79.3, which rejects requests without a leading slash in `:path` with a `codes.Unimplemented` error before reaching interceptors or handlers. Upgrading is recommended; alternative mitigations include a validating interceptor to normalize or reject paths, infrastructure-level HTTP/2 normalization, or hardening policies to deny non-canonical paths explicitly.

Details

CWE(s)
CWE-285

Affected Products

grpc
grpc
≤ 1.79.3

CVEs Like This One

CVE-2026-28448Shared CWE-285
CVE-2026-30702Shared CWE-285
CVE-2025-25196Shared CWE-285
CVE-2023-53895Shared CWE-285
CVE-2024-50617Shared CWE-285
CVE-2026-34784Shared CWE-285
CVE-2025-21348Shared CWE-285
CVE-2026-40246Shared CWE-285
CVE-2026-28431Shared CWE-285
CVE-2026-22022Shared CWE-285

References