Bug 2449833 (CVE-2026-33186)

Summary: CVE-2026-33186 google.golang.org/grpc/grpc-go: google.golang.org/grpc/authz: gRPC-Go: Authorization bypass due to improper HTTP/2 path validation
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aazores, abarbaro, abuckta, agarcial, akostadi, akoudelk, alcohan, alebedev, alinfoot, alizardo, amasferr, anjoseph, anpicker, ansmith, anthomas, aoconnor, aprice, asegurap, bbrownin, bdettelb, bparees, cahl, caswilli, cdrage, ckandaga, cmah, crizzo, dakwon, dbosanac, dfreiber, dhanak, dkuc, dmayorov, doconnor, drosa, drow, dschmidt, dsimansk, dtrifiro, dymurray, eaguilar, ebaron, eborisov, eglynn, ehelms, erezende, eshamard, fdeutsch, ggainey, gparvin, gtanzill, hasun, ibolton, jbalunas, jburrell, jbuscemi, jcantril, jchui, jdobes, jfula, jhe, jjoyce, jkoehler, jlanda, jlledo, jmatthew, jmitchel, jmontleo, jolong, jowilson, jpasqual, jprabhak, jpretori, jreimann, jsamir, jschluet, jsherril, juwatts, jvasik, kaycoth, kbempah, kgaikwad, kingland, kshier, ktsao, kverlaen, lball, lbragsta, lchilton, lgamliel, lhh, ljawale, lphiri, luizcosta, manissin, mbocek, mburns, mdessi, mgarciac, mhess, mhulan, mkleinhe, mnovotny, mrizzi, mrunge, msilmser, mstipich, mwringe, nboldt, ngough, nmoumoul, nweather, nyancey, oaljalju, oezr, ometelka, orabin, oramraz, osousa, pahickey, pakotvan, pantinor, pbohmill, pcattana, pcreech, peholase, pgaikwad, pjindal, psrna, ptisnovs, pvasanth, rblanco, rbobbitt, rbryant, rchan, rekumar, rexwhite, rfreiman, rhaigner, rhel-process-autobot, rjohnson, rochandr, rojacob, rushinde, sakbas, sausingh, sbratsla, sdawley, sfeifer, simaishi, slucidi, smallamp, smcdonal, smullick, solenoci, sseago, stcannon, sthirugn, stirabos, syedriko, teagle, thason, tmalecek, tsedmik, veshanka, vimartin, vkumar, vle, vmugicag, vvoronko, vwilson, watson-tool-maintainers, weaton, wenshen, whayutin, wtam, xdharmai, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in gRPC-Go, the Go language implementation of gRPC. This vulnerability, an authorization bypass, is caused by improper input validation of the HTTP/2 `:path` pseudo-header. A remote attacker can exploit this by sending raw HTTP/2 frames with a malformed `:path` that omits the mandatory leading slash. This allows the attacker to bypass defined security policies, potentially leading to unauthorized access to services or information disclosure.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2450275, 2450277, 2450276    
Bug Blocks:    

Description OSIDB Bzimport 2026-03-20 23:02:50 UTC
gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, "deny" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback "allow" rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policy contains specific "deny" rules for canonical paths but allows other requests by default (a fallback "allow" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. The fix in version 1.79.3 ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy hardening.

Comment 2 errata-xmlrpc 2026-04-23 19:32:06 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:10107 https://access.redhat.com/errata/RHSA-2026:10107

Comment 3 errata-xmlrpc 2026-04-27 01:42:13 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:10706 https://access.redhat.com/errata/RHSA-2026:10706

Comment 4 errata-xmlrpc 2026-04-27 01:45:40 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2026:10705 https://access.redhat.com/errata/RHSA-2026:10705

Comment 7 errata-xmlrpc 2026-05-19 16:07:09 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:19135 https://access.redhat.com/errata/RHSA-2026:19135

Comment 8 errata-xmlrpc 2026-05-19 18:02:10 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:19207 https://access.redhat.com/errata/RHSA-2026:19207

Comment 9 errata-xmlrpc 2026-05-19 21:38:55 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:19353 https://access.redhat.com/errata/RHSA-2026:19353

Comment 10 errata-xmlrpc 2026-05-20 12:24:51 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.18

Via RHSA-2026:18068 https://access.redhat.com/errata/RHSA-2026:18068

Comment 11 errata-xmlrpc 2026-05-20 16:40:50 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10.0 Extended Update Support

Via RHSA-2026:19719 https://access.redhat.com/errata/RHSA-2026:19719

Comment 12 errata-xmlrpc 2026-05-20 16:48:55 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2026:19721 https://access.redhat.com/errata/RHSA-2026:19721

Comment 13 errata-xmlrpc 2026-05-20 16:53:14 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2026:19720 https://access.redhat.com/errata/RHSA-2026:19720

Comment 14 errata-xmlrpc 2026-05-26 03:53:56 UTC
This issue has been addressed in the following products:

  Cryostat 4 on RHEL 9

Via RHSA-2026:17789 https://access.redhat.com/errata/RHSA-2026:17789

Comment 15 errata-xmlrpc 2026-05-27 07:15:43 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.19

Via RHSA-2026:20322 https://access.redhat.com/errata/RHSA-2026:20322

Comment 16 errata-xmlrpc 2026-05-28 00:11:25 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2026:20436 https://access.redhat.com/errata/RHSA-2026:20436

Comment 18 errata-xmlrpc 2026-06-02 11:08:02 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:22450 https://access.redhat.com/errata/RHSA-2026:22450

Comment 19 errata-xmlrpc 2026-06-03 08:01:04 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:22714 https://access.redhat.com/errata/RHSA-2026:22714

Comment 20 errata-xmlrpc 2026-06-03 18:49:53 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:22937 https://access.redhat.com/errata/RHSA-2026:22937

Comment 21 errata-xmlrpc 2026-06-04 13:10:54 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:23228 https://access.redhat.com/errata/RHSA-2026:23228

Comment 22 errata-xmlrpc 2026-06-18 12:17:57 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 6.16 for RHEL 8
  Red Hat Satellite 6.16 for RHEL 9

Via RHSA-2026:27076 https://access.redhat.com/errata/RHSA-2026:27076

Comment 23 errata-xmlrpc 2026-06-22 02:34:01 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2026:27712 https://access.redhat.com/errata/RHSA-2026:27712

Comment 24 errata-xmlrpc 2026-06-22 11:30:03 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10.0 Extended Update Support

Via RHSA-2026:27856 https://access.redhat.com/errata/RHSA-2026:27856

Comment 25 errata-xmlrpc 2026-06-22 20:59:27 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 17.1 for RHEL 9

Via RHSA-2026:28047 https://access.redhat.com/errata/RHSA-2026:28047

Comment 26 errata-xmlrpc 2026-06-24 10:56:35 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.18

Via RHSA-2026:26997 https://access.redhat.com/errata/RHSA-2026:26997

Comment 27 errata-xmlrpc 2026-06-24 15:02:59 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.19

Via RHSA-2026:26999 https://access.redhat.com/errata/RHSA-2026:26999

Comment 28 errata-xmlrpc 2026-07-01 09:18:02 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2026:29079 https://access.redhat.com/errata/RHSA-2026:29079