Critical Authorization Bypass in gRPC-Go Forces Emergency Patch to v1.79.3

A critical authorization bypass vulnerability in google.golang.org/grpc has been patched, requiring immediate upgrades from v1.75.1 to v1.79.3. Tracked as CVE-2026-33186 and GHSA-p77j-4mvh-x3m3, the flaw allows attackers to bypass authorization checks through improper validation of the HTTP/2 `:path` pseudo-header.

The vulnerability stems from how gRPC-Go handles incoming requests when the required leading slash in the `:path` header is absent or malformed. This input validation weakness enables unauthorized access to protected endpoints and operations that should otherwise be restricted. All deployments running gRPC-Go in environments where authorization decisions depend on request paths are potentially exposed.

Organizations using gRPC for inter-service communication, API backends, or any system relying on gRPC's authentication and authorization mechanisms should treat this as a high-priority patching operation. The affected versions span the gap between v1.75.1 and v1.79.3, meaning any infrastructure on that version range requires immediate remediation. Security teams should audit their dependency trees, confirm affected components, and deploy the patched version across all production and staging environments without delay.