Source: golang-google-grpc Version: 1.66.3-2 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for golang-google-grpc. CVE-2026-33186[0]: | gRPC-Go is the Go language implementation of gRPC. Versions prior to | 1.79.3 have an authorization bypass resulting from improper input | validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server | was too lenient in its routing logic, accepting requests where the | `:path` omitted the mandatory leading slash (e.g., `Service/Method` | instead of `/Service/Method`). While the server successfully routed | these requests to the correct handler, authorization interceptors | (including the official `grpc/authz` package) evaluated the raw, | non-canonical path string. Consequently, "deny" rules defined using | canonical paths (starting with `/`) failed to match the incoming | request, allowing it to bypass the policy if a fallback "allow" rule | was present. This affects gRPC-Go servers that use path-based | authorization interceptors, such as the official RBAC implementation | in `google.golang.org/grpc/authz` or custom interceptors relying on | `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security | policy contains specific "deny" rules for canonical paths but allows | other requests by default (a fallback "allow" rule). The | vulnerability is exploitable by an attacker who can send raw HTTP/2 | frames with malformed `:path` headers directly to the gRPC server. | The fix in version 1.79.3 ensures that any request with a `:path` | that does not start with a leading slash is immediately rejected | with a `codes.Unimplemented` error, preventing it from reaching | authorization interceptors or handlers with a non-canonical path | string. While upgrading is the most secure and recommended path, | users can mitigate the vulnerability using one of the following | methods: Use a validating interceptor (recommended mitigation); | infrastructure-level normalization; and/or policy hardening. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-33186 https://www.cve.org/CVERecord?id=CVE-2026-33186 [1] https://github.com/grpc/grpc-go/security/advisories/GHSA-p77j-4mvh-x3m3 [2] https://github.com/grpc/grpc-go/commit/72186f163e75a065c39e6f7df9b6dea07fbdeff5 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
