This page collects WhisperX intelligence signals tagged #authorization bypass. It is designed for humans, search engines, and AI agents: each item links to a canonical source-backed record with sector, source, timestamp, credibility, and exportable structured data.
A critical security vulnerability in the NATS.io messaging server allows authenticated clients to bypass publish permissions and route internal trace messages to arbitrary subjects. The flaw, tracked as CVE-2026-33249, is present in versions prior to 2.12.6 and 2.11.15. While the payload is limited to a valid trace mes...
A critical authorization bypass has been identified in a smart contract's payout mechanism. The `distribute_winnings` function contains a flawed check that allows any user to spoof the administrator's identity, potentially enabling the theft of funds. The function manually asserts that the transaction `caller` is not t...
A critical security vulnerability in the widely-used gRPC-Go library has been disclosed, exposing servers to potential authorization bypass. The flaw, tracked as CVE-2026-33186, stems from improper input validation of the HTTP/2 `:path` pseudo-header. This weakness allows attackers to potentially circumvent intended ac...
一个存在于 gRPC-Go 库中的关键安全漏洞(CVE-2026-33186)已被确认,该漏洞允许攻击者在特定条件下绕过服务的授权控制。该漏洞影响所有低于 v1.79.3 版本的 `google.golang.org/grpc` 库。其核心风险在于,攻击者可以通过发送畸形的 HTTP/2 请求,利用对 `:path` 伪标头验证不当的缺陷,使请求路径绕过基于路径的授权策略检查,但仍能被路由到预期的处理程序。 该漏洞的利用条件较为苛刻,需要同时满足多个前提:服务必须运行 gRPC-Go 服务器;使用了基于路径的授权机制(如 `google.golang.org/grpc/authz` 或自定义拦截器);授权策略中包含了针对规范路径(...
A critical security vulnerability in the widely-used gRPC-Go library exposes servers to authorization bypass attacks. The flaw, tracked as CVE-2026-33186, stems from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server's routing logic was found to be dangerously lenient, incorrectly accepti...
一个关键的安全更新正在通过 GitHub 的自动化依赖管理工具 Renovate 推送到全球数千个 Go 语言项目中。此次更新针对的是谷歌维护的核心网络通信库 `google.golang.org/grpc`,旨在修复一个被标记为 CVE-2026-33186 的高危漏洞。该漏洞被归类为“授权绕过”,其根源在于“不当的输入验证”,这意味着攻击者可能通过构造恶意输入,绕过服务端的身份验证或授权检查,从而访问未授权的数据或功能。 此次更新将 gRPC 库的版本从 `v1.63.2` 直接跳升至 `v1.79.3`,跨度巨大,表明其中包含了大量累积的修复和改进,而安全修复是此次强制升级的核心驱动力。自动化工具 Renovate 生成的合...
谷歌 gRPC-Go 框架的核心服务器组件中发现一个高危授权绕过漏洞(CVE-2026-33186),源于对 HTTP/2 `:path` 伪头(pseudo-header)的输入验证不当。该漏洞允许攻击者通过构造特定的恶意请求路径,绕过服务端的路由逻辑,可能导致未授权的数据访问或服务调用。漏洞的根本原因在于 gRPC-Go 服务器的路由逻辑过于宽松,接受了不符合规范的 `:path` 头值。 此次安全更新通过自动化的依赖管理工具 Renovate 以拉取请求(PR)形式发布,将 `google.golang.org/grpc` 模块从存在漏洞的 v1.58.3 版本紧急升级至修复后的 v1.79.3 版本。更新跨度巨大,涉及多个...
A critical security vulnerability in the widely-used gRPC-Go library exposes servers to authorization bypass attacks. The flaw, tracked as CVE-2026-33186, stems from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server's routing logic was found to be dangerously lenient, incorrectly accepti...
A critical security flaw in the core routing logic of gRPC-Go servers has been disclosed, enabling potential authorization bypass. The vulnerability, tracked as CVE-2026-33186, stems from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server's routing was found to be excessively permissive, ...
A critical security vulnerability in the widely-used gRPC-Go library exposes servers to authorization bypass attacks. The flaw, tracked as CVE-2026-33186, stems from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server's routing logic was found to be excessively lenient, incorrectly accepti...
Google 旗下核心微服务通信框架 gRPC-Go 曝出严重安全漏洞。编号为 CVE-2026-33186 的缺陷源于对 HTTP/2 协议中 `:path` 伪头(pseudo-header)的输入验证不当,可能允许攻击者绕过服务端的授权检查。这一漏洞被定性为“授权绕过”(Authorization Bypass),直接影响所有使用受影响版本 gRPC-Go 服务器组件的系统。 该漏洞存在于 google.golang.org/grpc 库中,从特定版本开始引入。安全公告明确指出,问题的根源是 gRPC-Go 服务器对 HTTP/2 请求中路径头的解析过于宽松。攻击者可能通过精心构造的恶意请求路径,欺骗服务器处理本应被权限系统...
谷歌 gRPC-Go 框架的一个关键安全漏洞已被披露,该漏洞允许攻击者通过构造特定的 HTTP/2 请求路径绕过服务端授权检查。漏洞编号为 CVE-2026-33186,其核心问题在于框架在处理 HTTP/2 请求的 `:path` 伪头部字段时,未能正确处理缺少前导斜杠的路径。这种输入验证缺陷使得恶意请求可能被错误地路由到未受保护的内部端点,从而绕过预期的身份验证和授权机制,对依赖 gRPC 进行服务间通信的微服务架构构成直接威胁。 该漏洞影响广泛使用 gRPC-Go 的 Go 语言后端服务。开源安全公告 GHSA-p77j-4mvh-x3m3 和 Go 官方漏洞数据库条目 GO-2026-4762 均已收录此问题。作为响应,g...
A critical security vulnerability has been exposed in a codebase, allowing any authenticated user to access, modify, or delete the bank accounts of any other user. The flaw is a classic Insecure Direct Object Reference (IDOR) vulnerability, classified as CWE-639 (Authorization Bypass Through User-Controlled Key). The e...
A critical vulnerability in the `google.golang.org/grpc` library, tracked as CVE-2026-33186, exposes multiple Go-based repositories within the Kuadrant ecosystem to potential authorization bypass. The flaw, rated with a CVSS score of 9.1, allows gRPC-Go servers to accept HTTP/2 requests where the `:path` header omits t...
A critical flaw in the Sigstore timestamp-authority verifier allows attackers to bypass authorization controls by manipulating the certificate bag. The vulnerability, tracked as CVE-2026-39984, resides in the `VerifyTimestampResponse` function within the `timestamp-authority/v2/pkg/verification` package. The function c...
A critical security flaw in the widely used gRPC-Go library has been patched, exposing servers to potential authorization bypass attacks. The vulnerability, tracked as CVE-2026-33186, stems from improper input validation of the HTTP/2 `:path` pseudo-header by the gRPC-Go server. This leniency could allow a malicious cl...
A high-severity security vulnerability in a GitHub repository allows any authenticated user to bypass a client-side admin check and directly query the database for all soft-deleted team documents. The flaw, identified in a pre-PR scan for TD #525, stems from a critical mismatch between a frontend JavaScript guard and t...
Google 的 gRPC-Go 库发布紧急安全更新,修复一个关键的授权绕过漏洞。该漏洞被追踪为 CVE-2026-33186,源于对 HTTP/2 `:path` 伪头的不当输入验证。攻击者可能通过构造缺少前导斜杠的路径,绕过服务端配置的授权检查,从而未经验证地访问受保护的 gRPC 服务端点。此漏洞直接影响所有使用受影响版本 gRPC-Go 库构建的微服务、API 网关和云原生应用。 此次更新将模块版本从 v1.74.2 提升至 v1.79.3。漏洞详情已在 GitHub 安全公告 GHSA-p77j-4mvh-x3m3 中披露。该问题被归类为授权绕过,属于高严重性缺陷,因为它直接威胁到基于 gRPC 的系统的安全边界。依赖自...
A critical broken object-level authorization (BOLA/IDOR) vulnerability has been identified in the `DELETE /stream/schedules/:id` endpoint, allowing any authenticated user with the `stream:delete` permission to cancel recurring donation schedules belonging to other users. The endpoint fails to verify that the requesting...
A medium-severity authorization bypass vulnerability has been identified in Sigstore Timestamp Authority, affecting versions 2.0.5 and below. The flaw resides in the VerifyTimestampResponse function within the timestamp-authority/v2/pkg/verification package. The function correctly validates the certificate chain signat...