CVE-2026-33186 is a critical security vulnerability in grpc-go, the Go implementation of gRPC, affecting all versions prior to 1.79.3. The root cause is an improper authorization check stemming from lenient routing logic that accepts HTTP/2 :path pseudo-headers lacking the mandatory leading slash (e.g., 'Service/Method' instead of '/Service/Method'). While the grpc-go server correctly routes such requests to the intended handler, authorization interceptors—including the official grpc/authz RBAC package—evaluate the raw, non-canonical path string. This discrepancy causes deny rules defined for canonical paths (which start with a slash) to fail to match these requests. If the server’s security policy includes deny rules for canonical paths but defaults to allowing other requests, attackers can exploit this to bypass authorization controls. Exploitation requires the ability to send raw HTTP/2 frames with malformed :path headers directly to the grpc-go server, which may be feasible in exposed service environments. The vulnerability impacts any grpc-go server using path-based authorization interceptors relying on info.FullMethod or grpc.Method(ctx) for access control decisions. The fix introduced in grpc-go version 1.79.3 enforces strict validation by rejecting any request with a :path that does not start with a leading slash, returning a codes.Unimplemented error before authorization interceptors or handlers process the request. This prevents the non-canonical path from reaching authorization logic, closing the bypass. While upgrading to 1.79.3 or later is the most secure solution, mitigations include deploying a validating interceptor that enforces path canonicalization, implementing infrastructure-level normalization of HTTP/2 :path headers, or hardening authorization policies to avoid fallback allow rules that could be exploited. The vulnerability is assigned a CVSS v3.1 base score of 9.1, indicating critical severity due to its network attack vector, no required privileges or user interaction, and high impact on confidentiality and integrity. No known exploits are reported in the wild as of publication.

This vulnerability allows unauthenticated remote attackers to bypass path-based authorization controls on grpc-go servers, potentially granting unauthorized access to sensitive services or methods. The impact includes unauthorized disclosure of confidential information and unauthorized modification or execution of service methods, compromising data confidentiality and integrity. Since grpc-go is widely used in microservices architectures and cloud-native applications, exploitation could lead to lateral movement within networks, data breaches, or unauthorized command execution in critical infrastructure. The vulnerability does not affect availability directly but undermines trust in access controls, increasing the risk of further exploitation. Organizations relying on grpc-go for internal or external APIs that implement path-based RBAC or custom authorization interceptors are at significant risk if they have fallback allow policies. The ease of exploitation (no authentication or user interaction required) and the broad use of grpc-go in modern distributed systems amplify the threat's severity globally.

The primary and most effective mitigation is to upgrade all grpc-go servers to version 1.79.3 or later, which enforces strict validation of the :path header. If immediate upgrading is not feasible, deploy a validating interceptor that rejects or normalizes incoming requests with non-canonical :path headers before authorization interceptors process them. Implement infrastructure-level normalization by configuring HTTP/2 proxies, ingress controllers, or API gateways to enforce canonical path formats, rejecting or rewriting malformed :path headers. Harden authorization policies by avoiding fallback allow rules; instead, explicitly deny unknown or malformed paths to reduce the risk of bypass. Conduct thorough audits of existing authorization interceptors to ensure they rely on canonical paths and handle edge cases correctly. Monitor network traffic for anomalous HTTP/2 frames with malformed :path headers and implement logging to detect potential exploitation attempts. Finally, educate development and security teams about the importance of strict input validation in authorization logic to prevent similar issues.