This page collects WhisperX intelligence signals tagged #CVE-2026-33186. It is designed for humans, search engines, and AI agents: each item links to a canonical source-backed record with sector, source, timestamp, credibility, and exportable structured data.
A critical security vulnerability in the widely-used gRPC-Go library has been disclosed, exposing servers to potential authorization bypass. The flaw, tracked as CVE-2026-33186, stems from improper input validation of the HTTP/2 `:path` pseudo-header. This weakness allows attackers to potentially circumvent intended ac...
一个存在于 gRPC-Go 库中的关键安全漏洞(CVE-2026-33186)已被确认,该漏洞允许攻击者在特定条件下绕过服务的授权控制。该漏洞影响所有低于 v1.79.3 版本的 `google.golang.org/grpc` 库。其核心风险在于,攻击者可以通过发送畸形的 HTTP/2 请求,利用对 `:path` 伪标头验证不当的缺陷,使请求路径绕过基于路径的授权策略检查,但仍能被路由到预期的处理程序。 该漏洞的利用条件较为苛刻,需要同时满足多个前提:服务必须运行 gRPC-Go 服务器;使用了基于路径的授权机制(如 `google.golang.org/grpc/authz` 或自定义拦截器);授权策略中包含了针对规范路径(...
A critical security flaw in the core routing logic of Google's gRPC-Go library has been patched, exposing servers to potential authorization bypass. The vulnerability, tracked as CVE-2026-33186, stems from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was found to be overly permissiv...
A critical security vulnerability in the core routing logic of gRPC-Go has been patched, exposing servers to potential authorization bypass. The flaw, tracked as CVE-2026-33186, stems from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server's routing was found to be excessively permissive,...
A critical security vulnerability in the widely-used gRPC-Go library exposes servers to authorization bypass attacks. The flaw, tracked as CVE-2026-33186, stems from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server's routing logic was found to be dangerously lenient, incorrectly accepti...
谷歌 gRPC-Go 框架的核心服务器组件中发现一个高危授权绕过漏洞(CVE-2026-33186),源于对 HTTP/2 `:path` 伪头(pseudo-header)的输入验证不当。该漏洞允许攻击者通过构造特定的恶意请求路径,绕过服务端的路由逻辑,可能导致未授权的数据访问或服务调用。漏洞的根本原因在于 gRPC-Go 服务器的路由逻辑过于宽松,接受了不符合规范的 `:path` 头值。 此次安全更新通过自动化的依赖管理工具 Renovate 以拉取请求(PR)形式发布,将 `google.golang.org/grpc` 模块从存在漏洞的 v1.58.3 版本紧急升级至修复后的 v1.79.3 版本。更新跨度巨大,涉及多个...
A critical security vulnerability in the widely-used gRPC-Go library exposes servers to authorization bypass attacks. The flaw, tracked as CVE-2026-33186, stems from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server's routing logic was found to be dangerously lenient, incorrectly accepti...
The Istio service mesh has released a critical security patch for version 1.21.6, addressing a severe vulnerability in the underlying gRPC-Go library. The flaw, tracked as CVE-2026-33186, allows for a complete authorization bypass. The exploit hinges on a missing leading slash in the HTTP/2 `:path` pseudo-header, which...
A critical security flaw in the core routing logic of gRPC-Go servers has been disclosed, enabling potential authorization bypass. The vulnerability, tracked as CVE-2026-33186, stems from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server's routing was found to be excessively permissive, ...
A critical security vulnerability in the widely-used gRPC-Go library exposes servers to authorization bypass attacks. The flaw, tracked as CVE-2026-33186, stems from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server's routing logic was found to be excessively lenient, incorrectly accepti...
A critical security flaw in the core routing logic of Google's gRPC-Go library has been disclosed, exposing servers to potential authorization bypass. The vulnerability, tracked as CVE-2026-33186, stems from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server's routing was found to be exce...
谷歌 gRPC-Go 框架的一个关键安全漏洞已被披露,该漏洞允许攻击者通过构造特定的 HTTP/2 请求路径绕过服务端授权检查。漏洞编号为 CVE-2026-33186,其核心问题在于框架在处理 HTTP/2 请求的 `:path` 伪头部字段时,未能正确处理缺少前导斜杠的路径。这种输入验证缺陷使得恶意请求可能被错误地路由到未受保护的内部端点,从而绕过预期的身份验证和授权机制,对依赖 gRPC 进行服务间通信的微服务架构构成直接威胁。 该漏洞影响广泛使用 gRPC-Go 的 Go 语言后端服务。开源安全公告 GHSA-p77j-4mvh-x3m3 和 Go 官方漏洞数据库条目 GO-2026-4762 均已收录此问题。作为响应,g...
A critical vulnerability in the `google.golang.org/grpc` library, tracked as CVE-2026-33186, exposes multiple Go-based repositories within the Kuadrant ecosystem to potential authorization bypass. The flaw, rated with a CVSS score of 9.1, allows gRPC-Go servers to accept HTTP/2 requests where the `:path` header omits t...
谷歌 gRPC-Go 框架中发现一个关键安全漏洞,编号为 CVE-2026-33186。该漏洞源于框架在处理 HTTP/2 请求的 `:path` 伪头部时,未能强制要求路径以正斜杠 (`/`) 开头。攻击者可能利用此缺陷,构造特定请求绕过预期的授权检查,从而获得对受保护服务或端点的未授权访问。这一缺陷直接威胁到所有依赖 gRPC 进行微服务间通信的现代云原生架构的安全边界。 漏洞影响 `google.golang.org/grpc` 库的多个版本。在开源项目的依赖更新中,已观察到从 v1.58.3、v1.71.1、v1.66.0 等多个旧版本紧急升级至修复版本 v1.79.3 的集中行动。更新涉及 `require`(直接依赖)...
A critical security flaw in the widely used gRPC-Go library has been patched, exposing servers to potential authorization bypass attacks. The vulnerability, tracked as CVE-2026-33186, stems from improper input validation of the HTTP/2 `:path` pseudo-header by the gRPC-Go server. This leniency could allow a malicious cl...
Google 的 gRPC-Go 库发布紧急安全更新,修复一个关键的授权绕过漏洞。该漏洞被追踪为 CVE-2026-33186,源于对 HTTP/2 `:path` 伪头的不当输入验证。攻击者可能通过构造缺少前导斜杠的路径,绕过服务端配置的授权检查,从而未经验证地访问受保护的 gRPC 服务端点。此漏洞直接影响所有使用受影响版本 gRPC-Go 库构建的微服务、API 网关和云原生应用。 此次更新将模块版本从 v1.74.2 提升至 v1.79.3。漏洞详情已在 GitHub 安全公告 GHSA-p77j-4mvh-x3m3 中披露。该问题被归类为授权绕过,属于高严重性缺陷,因为它直接威胁到基于 gRPC 的系统的安全边界。依赖自...
Security researchers have identified four critical vulnerabilities embedded within the Go dependency chain of Red Hat's multicluster-globalhub version 1.5, specifically targeting the Stolostron/glo-grafana repository. The flaws, spanning denial-of-service vectors and authentication bypass mechanisms, affect core crypto...
Une vulnérabilité critique touche gRPC-Go. Selon les données disponibles, l'absence d'un slash dans l'en-tête `:path` HTTP/2 permettrait de contourner l'ensemble des mécanismes d'autorisation du framework. La faille, baptisée CVE-2026-33186, affiche un CVSS de 9.1, traduisant une gravité élevée dans l'évaluation offici...
A critical authorization bypass vulnerability in google.golang.org/grpc has been patched, requiring immediate upgrades from v1.75.1 to v1.79.3. Tracked as CVE-2026-33186 and GHSA-p77j-4mvh-x3m3, the flaw allows attackers to bypass authorization checks through improper validation of the HTTP/2 `:path` pseudo-header. Th...