gRPC-Go v1.79.3 Patches Critical Authorization Bypass in HTTP/2 Path Validation

A critical security vulnerability in the core routing logic of gRPC-Go has been patched, exposing servers to potential authorization bypass. The flaw, tracked as CVE-2026-33186, stems from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server's routing was found to be excessively permissive, incorrectly accepting requests where the mandatory leading slash in the path was omitted. This deviation from the HTTP/2 specification created a vector where malformed requests could be processed incorrectly, potentially allowing unauthorized access to services or methods.

The vulnerability specifically affects the `google.golang.org/grpc` package. The security advisory, published by the gRPC-Go maintainers, classifies the issue as an Authorization Bypass with a root cause of Improper Input Validation. The update from version `v1.79.1` to `v1.79.3` addresses this flaw. The patch tightens the server's path validation logic to strictly enforce the required path format, thereby closing the security gap introduced by the lenient parsing.

This update is flagged as a security priority. Any service or application built with a vulnerable version of the gRPC-Go library is at risk until the dependency is updated. The impact is broad, affecting any gRPC server implementation in Go that handles HTTP/2 traffic. Developers and DevOps teams must apply this patch promptly to mitigate the risk of unauthorized access attempts exploiting this path validation weakness. The fix is now available via standard dependency management channels, including the automated update reflected in this pull request.