CVE-2026-33186: RCE — Critical — Patch Now [PoC]

Overview

A critical security flaw, tracked as CVE-2026-33186, has been discovered in gRPC-Go, the popular Go language implementation of the gRPC framework. This vulnerability is an authorization bypass that could allow unauthorized access to protected server methods. It affects versions prior to 1.79.3.

Vulnerability Details

The vulnerability stems from improper validation of the HTTP/2 :path pseudo-header by the gRPC-Go server. The server incorrectly accepted requests where the path omitted the mandatory leading slash (for example, accepting Service/Method instead of the correct /Service/Method).

While the server could still route these malformed requests to the correct handler, the security checks failed. Authorization interceptors-including the official grpc/authz package-evaluated this raw, non-canonical path string. Consequently, any “deny” rule defined using the proper path format (starting with /) would not match the incoming request. If a fallback “allow” rule was present in the security policy, the request would bypass authorization entirely.

This flaw is exploitable by an attacker capable of sending raw HTTP/2 frames with a malformed :path header directly to the gRPC server.

Impact and Risk

The impact is severe for affected configurations. An attacker could invoke gRPC methods that are explicitly intended to be blocked by security policy, potentially leading to data exposure, unauthorized actions, or privilege escalation.

Your system is at risk if:

• It runs a gRPC-Go server version earlier than 1.79.3.
• It uses path-based authorization interceptors (the official RBAC package or custom interceptors using info.FullMethod).
• Its security policy contains specific “deny” rules for canonical paths but has a default “allow” rule for other requests.

The vulnerability has been assigned a CVSS score of 9.1 (CRITICAL).

Remediation and Mitigation

The primary and most secure action is to upgrade gRPC-Go to version 1.79.3 or later. This fix ensures any request with a :path lacking a leading slash is immediately rejected with an “Unimplemented” error before it reaches authorization logic.

If immediate upgrading is not possible, consider these mitigations:

1. Use a Validating Interceptor: Deploy a custom server interceptor that normalizes or rejects non-canonical paths before the authorization interceptor runs.
2. Infrastructure-Level Normalization: Configure a reverse proxy or load balancer in front of the gRPC server to normalize or filter HTTP/2 paths.
3. Policy Hardening: Review and rewrite authorization policies to avoid relying solely on a default “allow” rule. Adopt a default-deny posture where feasible.

Staying current with patches is crucial for security. For examples of active exploitation, see related reports on the DarkSword iOS Exploit Kit and recent Google Chrome zero-days. For other authorization-related flaws, review the ‘LeakyLooker’ findings in Google Looker Studio.