New critical CVE issue was found for grpc that allows auth bypass from improper validation error.
The gRPC-Go server was too lenient in its routing logic, accepting requests where the :path omitted the mandatory leading slash (e.g., Service/Method instead of /Service/Method). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official grpc/authz package) evaluated the raw, non-canonical path string. Consequently, "deny" rules defined using canonical paths (starting with /) failed to match the incoming request, allowing it to bypass the policy if a fallback "allow" rule was present.
https://www.tenable.com/cve/CVE-2026-33186
Need to bump to latest version v1.79.3
New critical CVE issue was found for grpc that allows auth bypass from improper validation error.
The gRPC-Go server was too lenient in its routing logic, accepting requests where the
:pathomitted the mandatory leading slash (e.g.,Service/Methodinstead of/Service/Method). While the server successfully routed these requests to the correct handler, authorization interceptors (including the officialgrpc/authzpackage) evaluated the raw, non-canonical path string. Consequently, "deny" rules defined using canonical paths (starting with/) failed to match the incoming request, allowing it to bypass the policy if a fallback "allow" rule was present.https://www.tenable.com/cve/CVE-2026-33186
Need to bump to latest version v1.79.3