CVE-2026-33186 is a critical security vulnerability in grpc-go, the Go implementation of gRPC, affecting versions prior to 1.79.3. The root cause is improper input validation of the HTTP/2 :path pseudo-header, specifically the acceptance of paths missing the mandatory leading slash. While the grpc-go server routes such requests correctly to the intended handler, authorization interceptors—including the official grpc/authz RBAC implementation—evaluate the raw, non-canonical path string. This discrepancy causes deny rules defined with canonical paths (starting with '/') to fail to match these requests. If the security policy includes a fallback allow rule, this leads to an authorization bypass, allowing unauthorized requests to succeed. The vulnerability is exploitable by an attacker capable of sending raw HTTP/2 frames with malformed :path headers directly to the grpc-go server, without requiring authentication or user interaction. The fix introduced in grpc-go 1.79.3 rejects any request with a :path header that does not begin with a leading slash, returning a codes.Unimplemented error before authorization interceptors or handlers process the request. This prevents the bypass scenario. Until upgrading, mitigations include deploying a validating interceptor that enforces canonical path formats, normalizing requests at the infrastructure level (e.g., proxies or gateways), or hardening authorization policies to avoid fallback allow rules that could be exploited. This vulnerability is tracked under CWE-285 (Improper Authorization) and carries a CVSS v3.1 score of 9.1, indicating critical severity due to its network attack vector, low complexity, no privileges or user interaction required, and high impact on confidentiality and integrity.

The vulnerability allows attackers to bypass authorization controls on grpc-go servers that rely on path-based authorization interceptors, potentially granting unauthorized access to sensitive services or methods. This can lead to unauthorized data disclosure, modification, or execution of privileged operations, severely compromising confidentiality and integrity. Since gRPC is widely used for inter-service communication in microservices architectures and cloud-native applications, exploitation could affect a broad range of organizations globally, including enterprises, cloud providers, and service vendors. The lack of required authentication or user interaction lowers the barrier for exploitation, increasing risk. Although no known exploits are currently reported in the wild, the critical CVSS score and the nature of the flaw suggest that attackers with network access to vulnerable grpc-go servers could leverage this vulnerability to escalate privileges or access restricted functionality. The availability impact is minimal as the vulnerability does not disrupt service but focuses on unauthorized access.

The most effective mitigation is to upgrade grpc-go to version 1.79.3 or later, which rejects malformed :path headers before authorization checks. For environments where immediate upgrading is not feasible, implement a validating interceptor that enforces the presence of a leading slash in the :path header, rejecting or sanitizing malformed requests early in the request lifecycle. Additionally, normalize incoming HTTP/2 requests at the infrastructure level using proxies, API gateways, or ingress controllers to ensure all :path headers conform to canonical format before reaching the grpc-go server. Review and harden authorization policies to avoid fallback allow rules that could inadvertently permit unauthorized access if deny rules fail to match. Employ network segmentation and strict access controls to limit exposure of grpc-go servers to untrusted networks, reducing the attack surface. Monitor network traffic for anomalous HTTP/2 frames with malformed headers and implement logging to detect potential exploitation attempts. Finally, conduct thorough testing of custom authorization interceptors to ensure they correctly handle non-canonical paths.