## Critical gRPC-Go Vulnerability (CVE-2026-33186) Exposes Kuadrant and Related Repos to Authorization Bypass
A critical vulnerability in the `google.golang.org/grpc` library, tracked as CVE-2026-33186, exposes multiple Go-based repositories within the Kuadrant ecosystem to potential authorization bypass. The flaw, rated with a CVSS score of 9.1, allows gRPC-Go servers to accept HTTP/2 requests where the `:path` header omits the leading forward slash. This non-canonical path format causes path-based authorization interceptors to fail, potentially allowing unauthorized access to protected services.

The vulnerability directly impacts core components. The `kuadrant-operator` repository uses a vulnerable direct dependency on gRPC-Go version 1.77.0. Several other key services, including `dns-operator`, `policy-machinery`, and `developer-portal-controller`, are affected through indirect or transitive dependencies on older versions like 1.68.1 and 1.71.1. Notably, the `authorino` repository has already been updated to the patched version 1.79.3, while `authorino-operator` and `limitador-operator` are confirmed not to be affected.

This security gap creates immediate pressure on development and security teams to coordinate an urgent, organization-wide upgrade to gRPC-Go version 1.79.3. The risk is not isolated to a single service but spans the operational and policy machinery underpinning the platform's security posture. Failure to patch leaves a critical vector open, where seemingly minor path formatting discrepancies could be exploited to circumvent authentication and authorization controls across multiple services.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: CVE-2026-33186, gRPC-Go, Authorization Bypass, Kuadrant, Supply Chain Security
- **Credibility**: unverified
- **Published**: 2026-04-07 13:27:19
- **ID**: 53209
- **URL**: https://whisperx.ai/en/intel/53209