## gRPC-Go Security Flaw Exposed: Authorization Bypass via HTTP/2 Path Header
A critical security vulnerability in the widely-used gRPC-Go library has been disclosed, exposing servers to potential authorization bypass. The flaw, tracked as CVE-2026-33186, stems from improper input validation of the HTTP/2 `:path` pseudo-header. This weakness allows attackers to potentially circumvent intended access controls by crafting malformed requests.

The vulnerability resides in the server's routing logic, which was found to be overly permissive. Specifically, the gRPC-Go server incorrectly accepts requests where the mandatory leading slash in the `:path` header is omitted. For example, a request with a path formatted as `Service/Method` instead of the correct `/Service/Method` would be improperly processed. This deviation from the HTTP/2 specification creates a vector for unauthorized access to protected services and methods.

The impact is significant for any organization using the affected versions of `google.golang.org/grpc` prior to v1.79.3. The maintainers have released version 1.79.3 to patch this issue. The update represents a substantial jump from v1.72.1, indicating the seriousness of the fix. Developers and security teams are urged to immediately review their dependency chains and apply the security update to mitigate the risk of exploitation, which could lead to unauthorized data access or service manipulation.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: CVE-2026-33186, gRPC, Go, HTTP/2, Authorization Bypass
- **Credibility**: unverified
- **Published**: 2026-03-25 16:27:20
- **ID**: 33648
- **URL**: https://whisperx.ai/en/intel/33648