CVE-2026-33186 | gRPC-Go has an authorization bypass via missing leading slash in :path

gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, "deny" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback "allow" rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policy contains specific "deny" rules for canonical paths but allows other requests by default (a fallback "allow" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. The fix in version 1.79.3 ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy hardening.

公開: 2026-03-20 最終更新: 2026-07-09 Assigner: [email protected] ソース: [email protected]

総合評価: CVE-2026-33186 は中リスク(62.7/100)。CVSS 深刻度は重大。悪用される可能性が高い(EPSS 1.56%、72 パーセンタイル) 根拠: 直近 1 日で EPSS が +1.04% 上昇。悪用への関心が高まっている可能性があります。 推奨対応: 影響資産を整理し、修補計画に組み込んでください。

リスクは変動します。再評価に基づき、本ページの表示内容を更新しています。

CVE-2026-33186 の EPSS(Exploit Prediction Scoring System)スコア

EPSS は日次で悪用されやすさの相対度合いを推定します。パーセンタイルは採点済み CVE の中での相対位置(高いほど相対的に深刻)を示します。

# 日付 旧 EPSS スコア 新 EPSS スコア Δ(新 − 旧)
1 2026-06-30 0.52% 1.56% +1.04%
2 2026-06-15 0.01% 0.52% +0.51%
3 2026-03-21 0.01%

EPSS の全履歴 (全 3 件)

CVE-2026-33186 の CVSS(Common Vulnerability Scoring System)指標

この CVE の CVSS 指標。

ベーススコア バージョン 深刻度 ベクトル 悪用しやすさ 影響 スコアの出典
9.1 3.1 CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N クリックして展開
攻撃ベクター (AV:N)
インターネットなど、ルーティングされたネットワーク越しに遠隔から悪用しうる。端末の前にいる必要はない。
攻撃の複雑さ (AC:L)
攻撃者が条件を満たせば、レース条件や珍しい構成に依存せずに再現しやすい。
必要な権限 (PR:N)
事前のログインや昇格は不要で、匿名アクセスのまま踏み台にしうる。
ユーザーの関与 (UI:N)
メールのリンクを開く、マクロを有効にするなど、被害者の協力がなくても成立しうる。
スコープ (S:U)
影響は脆弱コンポーネントと同一のセキュリティ権限・信頼境界の内側に収まる。
機密性への影響 (C:H)
広範な機微データの読み取りや持ち出しが現実的。
完全性への影響 (I:H)
権限の奪取や広範なログ改竄など、システムの信頼根拠を揺るがす改ざんが現実的。
可用性への影響 (A:N)
業務継続に支障が出るレベルの停止や劣化は想定されない。
3.9 5.2 [email protected]
9.1 3.1 CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N クリックして展開
攻撃ベクター (AV:N)
インターネットなど、ルーティングされたネットワーク越しに遠隔から悪用しうる。端末の前にいる必要はない。
攻撃の複雑さ (AC:L)
攻撃者が条件を満たせば、レース条件や珍しい構成に依存せずに再現しやすい。
必要な権限 (PR:N)
事前のログインや昇格は不要で、匿名アクセスのまま踏み台にしうる。
ユーザーの関与 (UI:N)
メールのリンクを開く、マクロを有効にするなど、被害者の協力がなくても成立しうる。
スコープ (S:U)
影響は脆弱コンポーネントと同一のセキュリティ権限・信頼境界の内側に収まる。
機密性への影響 (C:H)
広範な機微データの読み取りや持ち出しが現実的。
完全性への影響 (I:H)
権限の奪取や広範なログ改竄など、システムの信頼根拠を揺るがす改ざんが現実的。
可用性への影響 (A:N)
業務継続に支障が出るレベルの停止や劣化は想定されない。
3.9 5.2 0b0ca135-0b70-47e7-9f44-1890c2a1c46c

CVE-2026-33186 の弱点分類(列挙)

CVE-2026-33186 の GitHub Security Advisory

GHSA-p77j-4mvh-x3m3 · 深刻度: critical · エコシステム: go — gRPC-Go has an authorization bypass via missing leading slash in :path

CVE-2026-33186 の OS トラッカー

vendor priority summary link
alpine CVE-2026-33186: 1 source package rows (grpc); 19 state rows across 2 repos (3.23-community, edge-community); fixed 0, open 19. https://security.alpinelinux.org/vuln/CVE-2026-33186
debian not yet assigned CVE-2026-33186 not yet assigned priority: Debian including 1 source packages (golang-google-grpc), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): open 3, resolved 2. https://security-tracker.debian.org/tracker/CVE-2026-33186
redhat high https://access.redhat.com/security/cve/CVE-2026-33186
suse high CVE-2026-33186 severity important: SUSE including 367 source package names (amazon-cloudwatch-agent-1.300064.0-2.1, amazon/suse-sles-15-sp1-chost-byos-v20210304-hvm-ssd-x86_64, …), 662 product×package rows across 38 product lines (Image SLES12-SP5-GCE-SAP-BYOS, Image SLES12-SP5-GCE-SAP-On-Demand, … (38 product lines)): Known Not Affected 296, Known Affected 231, Fixed 66, Will Not Fix 53, First Fixed 16. https://www.suse.com/security/cve/CVE-2026-33186/
ubuntu high CVE-2026-33186 high priority: Ubuntu including 2 source packages (golang-google-grpc, google-guest-agent), 14 status rows across 7 suites (bionic, focal, jammy, noble, questing, upstream, xenial): needs-triage 14. https://ubuntu.com/security/CVE-2026-33186

CVE-2026-33186 の影響を受けるソフトウェア/構成

ベンダー 製品 バージョン 生の CPE
grpc grpc < 1.79.3 cpe:2.3:a:grpc:grpc:*:*:*:*:*:go:*:*

CVE-2026-33186 の参考情報

URL タグ
https://github.com/grpc/grpc-go/security/advisories/GHSA-p77j-4mvh-x3m3 Mitigation Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:10093
https://access.redhat.com/errata/RHSA-2026:10094
https://access.redhat.com/errata/RHSA-2026:10105
https://access.redhat.com/errata/RHSA-2026:10107
https://access.redhat.com/errata/RHSA-2026:10125
https://access.redhat.com/errata/RHSA-2026:10126
https://access.redhat.com/errata/RHSA-2026:10130
https://access.redhat.com/errata/RHSA-2026:10131
https://access.redhat.com/errata/RHSA-2026:10153
https://access.redhat.com/errata/RHSA-2026:10155
https://access.redhat.com/errata/RHSA-2026:10158
https://access.redhat.com/errata/RHSA-2026:10172
https://access.redhat.com/errata/RHSA-2026:10175
https://access.redhat.com/errata/RHSA-2026:10698
https://access.redhat.com/errata/RHSA-2026:10705
https://access.redhat.com/errata/RHSA-2026:10706
https://access.redhat.com/errata/RHSA-2026:11070
https://access.redhat.com/errata/RHSA-2026:11408
https://access.redhat.com/errata/RHSA-2026:11803
https://access.redhat.com/errata/RHSA-2026:11856
https://access.redhat.com/errata/RHSA-2026:11916
https://access.redhat.com/errata/RHSA-2026:11996
https://access.redhat.com/errata/RHSA-2026:12116
https://access.redhat.com/errata/RHSA-2026:12118
https://access.redhat.com/errata/RHSA-2026:12119
https://access.redhat.com/errata/RHSA-2026:12277
https://access.redhat.com/errata/RHSA-2026:12279
https://access.redhat.com/errata/RHSA-2026:12283
https://access.redhat.com/errata/RHSA-2026:12337
https://access.redhat.com/errata/RHSA-2026:13548
https://access.redhat.com/errata/RHSA-2026:13791
https://access.redhat.com/errata/RHSA-2026:13829
https://access.redhat.com/errata/RHSA-2026:14775
https://access.redhat.com/errata/RHSA-2026:15092
https://access.redhat.com/errata/RHSA-2026:17123
https://access.redhat.com/errata/RHSA-2026:17448
https://access.redhat.com/errata/RHSA-2026:17459
https://access.redhat.com/errata/RHSA-2026:17468
https://access.redhat.com/errata/RHSA-2026:17474
https://access.redhat.com/errata/RHSA-2026:17475
https://access.redhat.com/errata/RHSA-2026:17598
https://access.redhat.com/errata/RHSA-2026:17599
https://access.redhat.com/errata/RHSA-2026:17789
https://access.redhat.com/errata/RHSA-2026:18068
https://access.redhat.com/errata/RHSA-2026:18585
https://access.redhat.com/errata/RHSA-2026:19099
https://access.redhat.com/errata/RHSA-2026:19108
https://access.redhat.com/errata/RHSA-2026:19109
https://access.redhat.com/errata/RHSA-2026:19135
https://access.redhat.com/errata/RHSA-2026:19207
https://access.redhat.com/errata/RHSA-2026:19353
https://access.redhat.com/errata/RHSA-2026:19375
https://access.redhat.com/errata/RHSA-2026:19712
https://access.redhat.com/errata/RHSA-2026:19719
https://access.redhat.com/errata/RHSA-2026:19720
https://access.redhat.com/errata/RHSA-2026:19721
https://access.redhat.com/errata/RHSA-2026:20034
https://access.redhat.com/errata/RHSA-2026:20035
https://access.redhat.com/errata/RHSA-2026:20041
https://access.redhat.com/errata/RHSA-2026:20042
https://access.redhat.com/errata/RHSA-2026:20088
https://access.redhat.com/errata/RHSA-2026:20089
https://access.redhat.com/errata/RHSA-2026:20322
https://access.redhat.com/errata/RHSA-2026:20436
https://access.redhat.com/errata/RHSA-2026:20943
https://access.redhat.com/errata/RHSA-2026:20946
https://access.redhat.com/errata/RHSA-2026:21017
https://access.redhat.com/errata/RHSA-2026:21657
https://access.redhat.com/errata/RHSA-2026:21658
https://access.redhat.com/errata/RHSA-2026:21691
https://access.redhat.com/errata/RHSA-2026:21692
https://access.redhat.com/errata/RHSA-2026:21696
https://access.redhat.com/errata/RHSA-2026:21697
https://access.redhat.com/errata/RHSA-2026:21703
https://access.redhat.com/errata/RHSA-2026:21704
https://access.redhat.com/errata/RHSA-2026:21709
https://access.redhat.com/errata/RHSA-2026:21710
https://access.redhat.com/errata/RHSA-2026:21769
https://access.redhat.com/errata/RHSA-2026:21931
https://access.redhat.com/errata/RHSA-2026:21932
https://access.redhat.com/errata/RHSA-2026:22347
https://access.redhat.com/errata/RHSA-2026:22423
https://access.redhat.com/errata/RHSA-2026:22450
https://access.redhat.com/errata/RHSA-2026:22465
https://access.redhat.com/errata/RHSA-2026:22485
https://access.redhat.com/errata/RHSA-2026:22645
https://access.redhat.com/errata/RHSA-2026:22689
https://access.redhat.com/errata/RHSA-2026:22714
https://access.redhat.com/errata/RHSA-2026:22800
https://access.redhat.com/errata/RHSA-2026:22937
https://access.redhat.com/errata/RHSA-2026:22959
https://access.redhat.com/errata/RHSA-2026:22961
https://access.redhat.com/errata/RHSA-2026:23228
https://access.redhat.com/errata/RHSA-2026:23234
https://access.redhat.com/errata/RHSA-2026:23235
https://access.redhat.com/errata/RHSA-2026:23241
https://access.redhat.com/errata/RHSA-2026:23246
https://access.redhat.com/errata/RHSA-2026:23247
https://access.redhat.com/errata/RHSA-2026:23345
https://access.redhat.com/errata/RHSA-2026:24484
https://access.redhat.com/errata/RHSA-2026:24506
https://access.redhat.com/errata/RHSA-2026:24535
https://access.redhat.com/errata/RHSA-2026:24536
https://access.redhat.com/errata/RHSA-2026:24759
https://access.redhat.com/errata/RHSA-2026:24853
https://access.redhat.com/errata/RHSA-2026:24977
https://access.redhat.com/errata/RHSA-2026:25009
https://access.redhat.com/errata/RHSA-2026:25045
https://access.redhat.com/errata/RHSA-2026:25127
https://access.redhat.com/errata/RHSA-2026:25182
https://access.redhat.com/errata/RHSA-2026:25183
https://access.redhat.com/errata/RHSA-2026:25187
https://access.redhat.com/errata/RHSA-2026:25194
https://access.redhat.com/errata/RHSA-2026:25195
https://access.redhat.com/errata/RHSA-2026:25201
https://access.redhat.com/errata/RHSA-2026:26412
https://access.redhat.com/errata/RHSA-2026:26413
https://access.redhat.com/errata/RHSA-2026:26416
https://access.redhat.com/errata/RHSA-2026:26420
https://access.redhat.com/errata/RHSA-2026:26519
https://access.redhat.com/errata/RHSA-2026:26568
https://access.redhat.com/errata/RHSA-2026:26997
https://access.redhat.com/errata/RHSA-2026:26999
https://access.redhat.com/errata/RHSA-2026:27001
https://access.redhat.com/errata/RHSA-2026:27004
https://access.redhat.com/errata/RHSA-2026:27063
https://access.redhat.com/errata/RHSA-2026:27076
https://access.redhat.com/errata/RHSA-2026:27712
https://access.redhat.com/errata/RHSA-2026:27856
https://access.redhat.com/errata/RHSA-2026:27892
https://access.redhat.com/errata/RHSA-2026:27893
https://access.redhat.com/errata/RHSA-2026:27901
https://access.redhat.com/errata/RHSA-2026:27957
https://access.redhat.com/errata/RHSA-2026:28047
https://access.redhat.com/errata/RHSA-2026:28893
https://access.redhat.com/errata/RHSA-2026:28964
https://access.redhat.com/errata/RHSA-2026:29079
https://access.redhat.com/errata/RHSA-2026:29082
https://access.redhat.com/errata/RHSA-2026:29854
https://access.redhat.com/errata/RHSA-2026:34049
https://access.redhat.com/errata/RHSA-2026:34097
https://access.redhat.com/errata/RHSA-2026:34099
https://access.redhat.com/errata/RHSA-2026:34364
https://access.redhat.com/errata/RHSA-2026:34769
https://access.redhat.com/errata/RHSA-2026:34794
https://access.redhat.com/errata/RHSA-2026:34795
https://access.redhat.com/errata/RHSA-2026:36651
https://access.redhat.com/errata/RHSA-2026:36796
https://access.redhat.com/errata/RHSA-2026:36882
https://access.redhat.com/errata/RHSA-2026:6174
https://access.redhat.com/errata/RHSA-2026:6428
https://access.redhat.com/errata/RHSA-2026:6564
https://access.redhat.com/errata/RHSA-2026:6802
https://access.redhat.com/errata/RHSA-2026:7110
https://access.redhat.com/errata/RHSA-2026:7128
https://access.redhat.com/errata/RHSA-2026:7245
https://access.redhat.com/errata/RHSA-2026:8151
https://access.redhat.com/errata/RHSA-2026:8338
https://access.redhat.com/errata/RHSA-2026:8433
https://access.redhat.com/errata/RHSA-2026:8449
https://access.redhat.com/errata/RHSA-2026:8483
https://access.redhat.com/errata/RHSA-2026:8484
https://access.redhat.com/errata/RHSA-2026:8490
https://access.redhat.com/errata/RHSA-2026:8491
https://access.redhat.com/errata/RHSA-2026:8493
https://access.redhat.com/errata/RHSA-2026:9385
https://access.redhat.com/errata/RHSA-2026:9388
https://access.redhat.com/errata/RHSA-2026:9440
https://access.redhat.com/errata/RHSA-2026:9448
https://access.redhat.com/errata/RHSA-2026:9453
https://access.redhat.com/errata/RHSA-2026:9872
https://access.redhat.com/security/cve/CVE-2026-33186
https://bugzilla.redhat.com/show_bug.cgi?id=2449833
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-33186.json
cvelogic Threat Intelligence