Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2026-33186 (GCVE-0-2026-33186)
Vulnerability from cvelistv5 – Published: 2026-03-20 22:23 – Updated: 2026-03-24 18:09
VLAI
EPSS
Title
gRPC-Go has an authorization bypass via missing leading slash in :path
Summary
gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, "deny" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback "allow" rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policy contains specific "deny" rules for canonical paths but allows other requests by default (a fallback "allow" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. The fix in version 1.79.3 ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy hardening.
Severity
9.1 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-285 - Improper Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/grpc/grpc-go/security/advisori… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33186",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-24T18:08:38.989284Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-24T18:09:13.422Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "grpc-go",
"vendor": "grpc",
"versions": [
{
"status": "affected",
"version": "\u003c 1.79.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, \"deny\" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback \"allow\" rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policy contains specific \"deny\" rules for canonical paths but allows other requests by default (a fallback \"allow\" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. The fix in version 1.79.3 ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy hardening."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-20T22:23:32.147Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/grpc/grpc-go/security/advisories/GHSA-p77j-4mvh-x3m3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/grpc/grpc-go/security/advisories/GHSA-p77j-4mvh-x3m3"
}
],
"source": {
"advisory": "GHSA-p77j-4mvh-x3m3",
"discovery": "UNKNOWN"
},
"title": "gRPC-Go has an authorization bypass via missing leading slash in :path"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33186",
"datePublished": "2026-03-20T22:23:32.147Z",
"dateReserved": "2026-03-17T22:16:36.720Z",
"dateUpdated": "2026-03-24T18:09:13.422Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-33186",
"date": "2026-06-28",
"epss": "0.00522",
"percentile": "0.40351"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-33186\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-20T23:16:45.180\",\"lastModified\":\"2026-06-17T10:37:05.900\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, \\\"deny\\\" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback \\\"allow\\\" rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policy contains specific \\\"deny\\\" rules for canonical paths but allows other requests by default (a fallback \\\"allow\\\" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. The fix in version 1.79.3 ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy hardening.\"},{\"lang\":\"es\",\"value\":\"gRPC-Go es la implementaci\u00f3n en lenguaje Go de gRPC. Las versiones anteriores a la 1.79.3 tienen un bypass de autorizaci\u00f3n resultante de una validaci\u00f3n de entrada incorrecta del pseudo-encabezado HTTP/2 \u0027:path\u0027. El servidor gRPC-Go era demasiado indulgente en su l\u00f3gica de enrutamiento, aceptando solicitudes donde el \u0027:path\u0027 omit\u00eda la barra inicial obligatoria (por ejemplo, \u0027Service/Method\u0027 en lugar de \u0027/Service/Method\u0027). Si bien el servidor enrut\u00f3 con \u00e9xito estas solicitudes al gestor correcto, los interceptores de autorizaci\u00f3n (incluido el paquete oficial \u0027grpc/authz\u0027) evaluaron la cadena de ruta cruda y no can\u00f3nica. En consecuencia, las reglas de \u0027denegaci\u00f3n\u0027 definidas usando rutas can\u00f3nicas (que comienzan con \u0027/\u0027) no lograron coincidir con la solicitud entrante, permitiendo que bypassara la pol\u00edtica si una regla de \u0027permiso\u0027 de respaldo estaba presente. Esto afecta a los servidores gRPC-Go que utilizan interceptores de autorizaci\u00f3n basados en rutas, como la implementaci\u00f3n oficial de RBAC en \u0027google.golang.org/grpc/authz\u0027 o interceptores personalizados que dependen de \u0027info.FullMethod\u0027 o \u0027grpc.Method(ctx)\u0027; Y que tienen una pol\u00edtica de seguridad que contiene reglas de \u0027denegaci\u00f3n\u0027 espec\u00edficas para rutas can\u00f3nicas pero permite otras solicitudes por defecto (una regla de \u0027permiso\u0027 de respaldo). La vulnerabilidad es explotable por un atacante que puede enviar tramas HTTP/2 crudas con encabezados \u0027:path\u0027 malformados directamente al servidor gRPC. La correcci\u00f3n en la versi\u00f3n 1.79.3 asegura que cualquier solicitud con un \u0027:path\u0027 que no comience con una barra inicial sea inmediatamente rechazada con un error \u0027codes.Unimplemented\u0027, impidiendo que llegue a los interceptores de autorizaci\u00f3n o gestores con una cadena de ruta no can\u00f3nica. Si bien la actualizaci\u00f3n es la ruta m\u00e1s segura y recomendada, los usuarios pueden mitigar la vulnerabilidad utilizando uno de los siguientes m\u00e9todos: Usar un interceptor de validaci\u00f3n (mitigaci\u00f3n recomendada); normalizaci\u00f3n a nivel de infraestructura; y/o endurecimiento de pol\u00edticas.\"}],\"affected\":[{\"source\":\"security-advisories@github.com\",\"affectedData\":[{\"vendor\":\"grpc\",\"product\":\"grpc-go\",\"versions\":[{\"version\":\"\u003c 1.79.3\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":9.1,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":5.2}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-03-24T18:08:38.989284Z\",\"id\":\"CVE-2026-33186\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"yes\"},{\"technicalImpact\":\"partial\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-285\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:grpc:grpc:*:*:*:*:*:go:*:*\",\"versionEndExcluding\":\"1.79.3\",\"matchCriteriaId\":\"D5AB3ED0-D11B-461E-B2B1-627D5CCEA236\"}]}]}],\"references\":[{\"url\":\"https://github.com/grpc/grpc-go/security/advisories/GHSA-p77j-4mvh-x3m3\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mitigation\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-33186\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-24T18:08:38.989284Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-24T18:09:03.096Z\"}}], \"cna\": {\"title\": \"gRPC-Go has an authorization bypass via missing leading slash in :path\", \"source\": {\"advisory\": \"GHSA-p77j-4mvh-x3m3\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"grpc\", \"product\": \"grpc-go\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.79.3\"}]}], \"references\": [{\"url\": \"https://github.com/grpc/grpc-go/security/advisories/GHSA-p77j-4mvh-x3m3\", \"name\": \"https://github.com/grpc/grpc-go/security/advisories/GHSA-p77j-4mvh-x3m3\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, \\\"deny\\\" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback \\\"allow\\\" rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policy contains specific \\\"deny\\\" rules for canonical paths but allows other requests by default (a fallback \\\"allow\\\" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. The fix in version 1.79.3 ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy hardening.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-285\", \"description\": \"CWE-285: Improper Authorization\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-20T22:23:32.147Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-33186\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-24T18:09:13.422Z\", \"dateReserved\": \"2026-03-17T22:16:36.720Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-20T22:23:32.147Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
cleanstart-2026-yy57430
Vulnerability from cleanstart
Published
2026-04-16 00:41
Modified
2026-04-15 09:51
Summary
gRPC-Go is the Go language implementation of gRPC
Details
Multiple security vulnerabilities affect the temporal-server-fips package. gRPC-Go is the Go language implementation of gRPC. See references for individual vulnerability details.
Severity
9.8 (Critical)
References
{
"affected": [
{
"package": {
"ecosystem": "CleanStart",
"name": "temporal-server-fips"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.29.2-r2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"credits": [],
"database_specific": {},
"details": "Multiple security vulnerabilities affect the temporal-server-fips package. gRPC-Go is the Go language implementation of gRPC. See references for individual vulnerability details.",
"id": "CLEANSTART-2026-YY57430",
"modified": "2026-04-15T09:51:54Z",
"published": "2026-04-16T00:41:48.891120Z",
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-YY57430.json"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-24051"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-25679"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-26958"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27139"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27142"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33186"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24051"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25679"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26958"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27139"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27142"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33186"
}
],
"related": [],
"schema_version": "1.7.3",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "gRPC-Go is the Go language implementation of gRPC",
"upstream": [
"CVE-2026-24051",
"CVE-2026-25679",
"CVE-2026-26958",
"CVE-2026-27139",
"CVE-2026-27142",
"CVE-2026-33186"
]
}
cleanstart-2026-yy85909
Vulnerability from cleanstart
Published
2026-04-06 02:45
Modified
2026-04-03 07:53
Summary
Security fixes for CVE-2025-47913, CVE-2025-47914, CVE-2025-58181, CVE-2025-61727, CVE-2025-61729, CVE-2026-1229, CVE-2026-24051, CVE-2026-25679, CVE-2026-26958, CVE-2026-27139, CVE-2026-27141, CVE-2026-27142, CVE-2026-33186, ghsa-6g7g-w4f8-9c9x, ghsa-9h8m-3fm2-qjrq, ghsa-fw7p-63qq-7hpr, ghsa-q9hv-hpm4-hj6x applied in versions: 0.93.13-r1, 0.99.4-r0, 0.99.4-r1, 0.99.4-r2, 0.99.4-r3
Details
Multiple security vulnerabilities affect the terragrunt-fips package. These issues are resolved in later releases. See references for individual vulnerability details.
References
| URL | Type | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"affected": [
{
"package": {
"ecosystem": "CleanStart",
"name": "terragrunt-fips"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.99.4-r3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"credits": [],
"database_specific": {},
"details": "Multiple security vulnerabilities affect the terragrunt-fips package. These issues are resolved in later releases. See references for individual vulnerability details.",
"id": "CLEANSTART-2026-YY85909",
"modified": "2026-04-03T07:53:09Z",
"published": "2026-04-06T02:45:22.846774Z",
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-YY85909.json"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-47913"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-47914"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-58181"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-61727"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-61729"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-1229"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-24051"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-25679"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-26958"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27139"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27141"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27142"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33186"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-6g7g-w4f8-9c9x"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-9h8m-3fm2-qjrq"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-fw7p-63qq-7hpr"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-q9hv-hpm4-hj6x"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47913"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47914"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58181"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61727"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61729"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1229"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24051"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25679"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26958"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27139"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27141"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27142"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33186"
}
],
"related": [],
"schema_version": "1.7.3",
"summary": "Security fixes for CVE-2025-47913, CVE-2025-47914, CVE-2025-58181, CVE-2025-61727, CVE-2025-61729, CVE-2026-1229, CVE-2026-24051, CVE-2026-25679, CVE-2026-26958, CVE-2026-27139, CVE-2026-27141, CVE-2026-27142, CVE-2026-33186, ghsa-6g7g-w4f8-9c9x, ghsa-9h8m-3fm2-qjrq, ghsa-fw7p-63qq-7hpr, ghsa-q9hv-hpm4-hj6x applied in versions: 0.93.13-r1, 0.99.4-r0, 0.99.4-r1, 0.99.4-r2, 0.99.4-r3",
"upstream": [
"CVE-2025-47913",
"CVE-2025-47914",
"CVE-2025-58181",
"CVE-2025-61727",
"CVE-2025-61729",
"CVE-2026-1229",
"CVE-2026-24051",
"CVE-2026-25679",
"CVE-2026-26958",
"CVE-2026-27139",
"CVE-2026-27141",
"CVE-2026-27142",
"CVE-2026-33186",
"ghsa-6g7g-w4f8-9c9x",
"ghsa-9h8m-3fm2-qjrq",
"ghsa-fw7p-63qq-7hpr",
"ghsa-q9hv-hpm4-hj6x"
]
}
FKIE_CVE-2026-33186
Vulnerability from fkie_nvd - Published: 2026-03-20 23:16 - Updated: 2026-06-17 10:37
Severity
Summary
gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, "deny" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback "allow" rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policy contains specific "deny" rules for canonical paths but allows other requests by default (a fallback "allow" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. The fix in version 1.79.3 ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy hardening.
References
| URL | Tags | ||
|---|---|---|---|
| security-advisories@github.com | https://github.com/grpc/grpc-go/security/advisories/GHSA-p77j-4mvh-x3m3 | Mitigation, Vendor Advisory |
{
"affected": [
{
"affectedData": [
{
"product": "grpc-go",
"vendor": "grpc",
"versions": [
{
"status": "affected",
"version": "\u003c 1.79.3"
}
]
}
],
"source": "security-advisories@github.com"
}
],
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:grpc:grpc:*:*:*:*:*:go:*:*",
"matchCriteriaId": "D5AB3ED0-D11B-461E-B2B1-627D5CCEA236",
"versionEndExcluding": "1.79.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, \"deny\" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback \"allow\" rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policy contains specific \"deny\" rules for canonical paths but allows other requests by default (a fallback \"allow\" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. The fix in version 1.79.3 ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy hardening."
},
{
"lang": "es",
"value": "gRPC-Go es la implementaci\u00f3n en lenguaje Go de gRPC. Las versiones anteriores a la 1.79.3 tienen un bypass de autorizaci\u00f3n resultante de una validaci\u00f3n de entrada incorrecta del pseudo-encabezado HTTP/2 \u0027:path\u0027. El servidor gRPC-Go era demasiado indulgente en su l\u00f3gica de enrutamiento, aceptando solicitudes donde el \u0027:path\u0027 omit\u00eda la barra inicial obligatoria (por ejemplo, \u0027Service/Method\u0027 en lugar de \u0027/Service/Method\u0027). Si bien el servidor enrut\u00f3 con \u00e9xito estas solicitudes al gestor correcto, los interceptores de autorizaci\u00f3n (incluido el paquete oficial \u0027grpc/authz\u0027) evaluaron la cadena de ruta cruda y no can\u00f3nica. En consecuencia, las reglas de \u0027denegaci\u00f3n\u0027 definidas usando rutas can\u00f3nicas (que comienzan con \u0027/\u0027) no lograron coincidir con la solicitud entrante, permitiendo que bypassara la pol\u00edtica si una regla de \u0027permiso\u0027 de respaldo estaba presente. Esto afecta a los servidores gRPC-Go que utilizan interceptores de autorizaci\u00f3n basados en rutas, como la implementaci\u00f3n oficial de RBAC en \u0027google.golang.org/grpc/authz\u0027 o interceptores personalizados que dependen de \u0027info.FullMethod\u0027 o \u0027grpc.Method(ctx)\u0027; Y que tienen una pol\u00edtica de seguridad que contiene reglas de \u0027denegaci\u00f3n\u0027 espec\u00edficas para rutas can\u00f3nicas pero permite otras solicitudes por defecto (una regla de \u0027permiso\u0027 de respaldo). La vulnerabilidad es explotable por un atacante que puede enviar tramas HTTP/2 crudas con encabezados \u0027:path\u0027 malformados directamente al servidor gRPC. La correcci\u00f3n en la versi\u00f3n 1.79.3 asegura que cualquier solicitud con un \u0027:path\u0027 que no comience con una barra inicial sea inmediatamente rechazada con un error \u0027codes.Unimplemented\u0027, impidiendo que llegue a los interceptores de autorizaci\u00f3n o gestores con una cadena de ruta no can\u00f3nica. Si bien la actualizaci\u00f3n es la ruta m\u00e1s segura y recomendada, los usuarios pueden mitigar la vulnerabilidad utilizando uno de los siguientes m\u00e9todos: Usar un interceptor de validaci\u00f3n (mitigaci\u00f3n recomendada); normalizaci\u00f3n a nivel de infraestructura; y/o endurecimiento de pol\u00edticas."
}
],
"id": "CVE-2026-33186",
"lastModified": "2026-06-17T10:37:05.900",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.2,
"source": "security-advisories@github.com",
"type": "Secondary"
}
],
"ssvcV203": [
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"ssvcData": {
"id": "CVE-2026-33186",
"options": [
{
"exploitation": "none"
},
{
"automatable": "yes"
},
{
"technicalImpact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-24T18:08:38.989284Z",
"version": "2.0.3"
}
}
]
},
"published": "2026-03-20T23:16:45.180",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://github.com/grpc/grpc-go/security/advisories/GHSA-p77j-4mvh-x3m3"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-285"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
GHSA-P77J-4MVH-X3M3
Vulnerability from github – Published: 2026-03-18 20:10 – Updated: 2026-03-25 18:12
VLAI
Summary
gRPC-Go has an authorization bypass via missing leading slash in :path
Details
Impact
What kind of vulnerability is it? Who is impacted?
It is an Authorization Bypass resulting from Improper Input Validation of the HTTP/2 :path pseudo-header.
The gRPC-Go server was too lenient in its routing logic, accepting requests where the :path omitted the mandatory leading slash (e.g., Service/Method instead of /Service/Method). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official grpc/authz package) evaluated the raw, non-canonical path string. Consequently, "deny" rules defined using canonical paths (starting with /) failed to match the incoming request, allowing it to bypass the policy if a fallback "allow" rule was present.
Who is impacted?
This affects gRPC-Go servers that meet both of the following criteria:
1. They use path-based authorization interceptors, such as the official RBAC implementation in google.golang.org/grpc/authz or custom interceptors relying on info.FullMethod or grpc.Method(ctx).
2. Their security policy contains specific "deny" rules for canonical paths but allows other requests by default (a fallback "allow" rule).
The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed :path headers directly to the gRPC server.
Patches
Has the problem been patched? What versions should users upgrade to?
Yes, the issue has been patched. The fix ensures that any request with a :path that does not start with a leading slash is immediately rejected with a codes.Unimplemented error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string.
Users should upgrade to the following versions (or newer): * v1.79.3 * The latest master branch.
It is recommended that all users employing path-based authorization (especially grpc/authz) upgrade as soon as the patch is available in a tagged release.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods:
1. Use a Validating Interceptor (Recommended Mitigation)
Add an "outermost" interceptor to your server that validates the path before any other authorization logic runs:
func pathValidationInterceptor(ctx context.Context, req any, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (any, error) {
if info.FullMethod == "" || info.FullMethod[0] != '/' {
return nil, status.Errorf(codes.Unimplemented, "malformed method name")
}
return handler(ctx, req)
}
// Ensure this is the FIRST interceptor in your chain
s := grpc.NewServer(
grpc.ChainUnaryInterceptor(pathValidationInterceptor, authzInterceptor),
)
2. Infrastructure-Level Normalization
If your gRPC server is behind a reverse proxy or load balancer (such as Envoy, NGINX, or an L7 Cloud Load Balancer), ensure it is configured to enforce strict HTTP/2 compliance for pseudo-headers and reject or normalize requests where the :path header does not start with a leading slash.
3. Policy Hardening
Switch to a "default deny" posture in your authorization policies (explicitly listing all allowed paths and denying everything else) to reduce the risk of bypasses via malformed inputs.
Severity
9.1 (Critical)
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "google.golang.org/grpc"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.79.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33186"
],
"database_specific": {
"cwe_ids": [
"CWE-285"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-18T20:10:29Z",
"nvd_published_at": "2026-03-20T23:16:45Z",
"severity": "CRITICAL"
},
"details": "### Impact\n_What kind of vulnerability is it? Who is impacted?_\n\nIt is an **Authorization Bypass** resulting from **Improper Input Validation** of the HTTP/2 `:path` pseudo-header.\n\nThe gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, \"deny\" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback \"allow\" rule was present.\n\n**Who is impacted?**\nThis affects gRPC-Go servers that meet both of the following criteria:\n1. They use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`.\n2. Their security policy contains specific \"deny\" rules for canonical paths but allows other requests by default (a fallback \"allow\" rule).\n\nThe vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server.\n\n### Patches\n_Has the problem been patched? What versions should users upgrade to?_\n\nYes, the issue has been patched. The fix ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string.\n\nUsers should upgrade to the following versions (or newer):\n* **v1.79.3**\n* The latest **master** branch.\n\nIt is recommended that all users employing path-based authorization (especially `grpc/authz`) upgrade as soon as the patch is available in a tagged release.\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nWhile upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods:\n\n#### 1. Use a Validating Interceptor (Recommended Mitigation)\nAdd an \"outermost\" interceptor to your server that validates the path before any other authorization logic runs:\n\n```go\nfunc pathValidationInterceptor(ctx context.Context, req any, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (any, error) {\n if info.FullMethod == \"\" || info.FullMethod[0] != \u0027/\u0027 {\n return nil, status.Errorf(codes.Unimplemented, \"malformed method name\")\n } \n return handler(ctx, req)\n}\n\n// Ensure this is the FIRST interceptor in your chain\ns := grpc.NewServer(\n grpc.ChainUnaryInterceptor(pathValidationInterceptor, authzInterceptor),\n)\n```\n\n#### 2. Infrastructure-Level Normalization\nIf your gRPC server is behind a reverse proxy or load balancer (such as Envoy, NGINX, or an L7 Cloud Load Balancer), ensure it is configured to enforce strict HTTP/2 compliance for pseudo-headers and reject or normalize requests where the `:path` header does not start with a leading slash.\n\n#### 3. Policy Hardening\nSwitch to a \"default deny\" posture in your authorization policies (explicitly listing all allowed paths and denying everything else) to reduce the risk of bypasses via malformed inputs.",
"id": "GHSA-p77j-4mvh-x3m3",
"modified": "2026-03-25T18:12:09Z",
"published": "2026-03-18T20:10:29Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/grpc/grpc-go/security/advisories/GHSA-p77j-4mvh-x3m3"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33186"
},
{
"type": "PACKAGE",
"url": "https://github.com/grpc/grpc-go"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "gRPC-Go has an authorization bypass via missing leading slash in :path"
}
MSRC_CVE-2026-33186
Vulnerability from csaf_microsoft - Published: 2026-03-02 00:00 - Updated: 2026-03-26 01:01Summary
gRPC-Go has an authorization bypass via missing leading slash in :path
Notes
Additional Resources: To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle
Disclaimer: The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
9.1 (Critical)
Affected products
Known affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 17086-1 | — |
None Available
|
|
| Unresolved product id: 17084-2 | — |
None Available
|
References
4 references
| URL | Category |
|---|---|
| https://msrc.microsoft.com/csaf/vex/2026/msrc_cve… | self |
| https://support.microsoft.com/lifecycle | external |
| https://www.first.org/cvss | external |
| https://msrc.microsoft.com/csaf/vex/2026/msrc_cve… | self |
{
"document": {
"category": "csaf_vex",
"csaf_version": "2.0",
"distribution": {
"text": "Public",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-US",
"notes": [
{
"category": "general",
"text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle",
"title": "Additional Resources"
},
{
"category": "legal_disclaimer",
"text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.",
"title": "Disclaimer"
}
],
"publisher": {
"category": "vendor",
"contact_details": "secure@microsoft.com",
"name": "Microsoft Security Response Center",
"namespace": "https://msrc.microsoft.com"
},
"references": [
{
"category": "self",
"summary": "CVE-2026-33186 gRPC-Go has an authorization bypass via missing leading slash in :path - VEX",
"url": "https://msrc.microsoft.com/csaf/vex/2026/msrc_cve-2026-33186.json"
},
{
"category": "external",
"summary": "Microsoft Support Lifecycle",
"url": "https://support.microsoft.com/lifecycle"
},
{
"category": "external",
"summary": "Common Vulnerability Scoring System",
"url": "https://www.first.org/cvss"
}
],
"title": "gRPC-Go has an authorization bypass via missing leading slash in :path",
"tracking": {
"current_release_date": "2026-03-26T01:01:16.000Z",
"generator": {
"date": "2026-03-26T07:07:42.395Z",
"engine": {
"name": "MSRC Generator",
"version": "1.0"
}
},
"id": "msrc_CVE-2026-33186",
"initial_release_date": "2026-03-02T00:00:00.000Z",
"revision_history": [
{
"date": "2026-03-26T01:01:16.000Z",
"legacy_version": "1",
"number": "1",
"summary": "Information published."
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "2.0",
"product": {
"name": "CBL Mariner 2.0",
"product_id": "17086"
}
},
{
"category": "product_version",
"name": "3.0",
"product": {
"name": "Azure Linux 3.0",
"product_id": "17084"
}
}
],
"category": "product_name",
"name": "Azure Linux"
},
{
"branches": [
{
"category": "product_version_range",
"name": "cbl2 grpc 1.42.0-11",
"product": {
"name": "cbl2 grpc 1.42.0-11",
"product_id": "1"
}
},
{
"category": "product_version_range",
"name": "azl3 grpc 1.62.3-1",
"product": {
"name": "azl3 grpc 1.62.3-1",
"product_id": "2"
}
}
],
"category": "product_name",
"name": "grpc"
}
],
"category": "vendor",
"name": "Microsoft"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "cbl2 grpc 1.42.0-11 as a component of CBL Mariner 2.0",
"product_id": "17086-1"
},
"product_reference": "1",
"relates_to_product_reference": "17086"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "azl3 grpc 1.62.3-1 as a component of Azure Linux 3.0",
"product_id": "17084-2"
},
"product_reference": "2",
"relates_to_product_reference": "17084"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-33186",
"cwe": {
"id": "CWE-285",
"name": "Improper Authorization"
},
"notes": [
{
"category": "general",
"text": "GitHub_M",
"title": "Assigning CNA"
}
],
"product_status": {
"known_affected": [
"17086-1",
"17084-2"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-33186 gRPC-Go has an authorization bypass via missing leading slash in :path - VEX",
"url": "https://msrc.microsoft.com/csaf/vex/2026/msrc_cve-2026-33186.json"
}
],
"remediations": [
{
"category": "none_available",
"date": "2026-03-26T01:01:16.000Z",
"details": "There is no fix available for this vulnerability as of now",
"product_ids": [
"17086-1"
]
},
{
"category": "none_available",
"date": "2026-03-26T01:01:16.000Z",
"details": "There is no fix available for this vulnerability as of now",
"product_ids": [
"17084-2"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"environmentalsScore": 0.0,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 9.1,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"17086-1",
"17084-2"
]
}
],
"title": "gRPC-Go has an authorization bypass via missing leading slash in :path"
}
]
}
OPENSUSE-SU-2026:10407-1
Vulnerability from csaf_opensuse - Published: 2026-03-23 00:00 - Updated: 2026-03-23 00:00Summary
azure-storage-azcopy-10.32.2-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: azure-storage-azcopy-10.32.2-1.1 on GA media
Description of the patch: These are all security issues fixed in the azure-storage-azcopy-10.32.2-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2026-10407
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
8.1 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:azure-storage-azcopy-10.32.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:azure-storage-azcopy-10.32.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:azure-storage-azcopy-10.32.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:azure-storage-azcopy-10.32.2-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
5 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "azure-storage-azcopy-10.32.2-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the azure-storage-azcopy-10.32.2-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2026-10407",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_10407-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-33186 page",
"url": "https://www.suse.com/security/cve/CVE-2026-33186/"
}
],
"title": "azure-storage-azcopy-10.32.2-1.1 on GA media",
"tracking": {
"current_release_date": "2026-03-23T00:00:00Z",
"generator": {
"date": "2026-03-23T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2026:10407-1",
"initial_release_date": "2026-03-23T00:00:00Z",
"revision_history": [
{
"date": "2026-03-23T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "azure-storage-azcopy-10.32.2-1.1.aarch64",
"product": {
"name": "azure-storage-azcopy-10.32.2-1.1.aarch64",
"product_id": "azure-storage-azcopy-10.32.2-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "azure-storage-azcopy-10.32.2-1.1.ppc64le",
"product": {
"name": "azure-storage-azcopy-10.32.2-1.1.ppc64le",
"product_id": "azure-storage-azcopy-10.32.2-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "azure-storage-azcopy-10.32.2-1.1.s390x",
"product": {
"name": "azure-storage-azcopy-10.32.2-1.1.s390x",
"product_id": "azure-storage-azcopy-10.32.2-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "azure-storage-azcopy-10.32.2-1.1.x86_64",
"product": {
"name": "azure-storage-azcopy-10.32.2-1.1.x86_64",
"product_id": "azure-storage-azcopy-10.32.2-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "azure-storage-azcopy-10.32.2-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:azure-storage-azcopy-10.32.2-1.1.aarch64"
},
"product_reference": "azure-storage-azcopy-10.32.2-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "azure-storage-azcopy-10.32.2-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:azure-storage-azcopy-10.32.2-1.1.ppc64le"
},
"product_reference": "azure-storage-azcopy-10.32.2-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "azure-storage-azcopy-10.32.2-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:azure-storage-azcopy-10.32.2-1.1.s390x"
},
"product_reference": "azure-storage-azcopy-10.32.2-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "azure-storage-azcopy-10.32.2-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:azure-storage-azcopy-10.32.2-1.1.x86_64"
},
"product_reference": "azure-storage-azcopy-10.32.2-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-33186",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-33186"
}
],
"notes": [
{
"category": "general",
"text": "gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, \"deny\" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback \"allow\" rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policy contains specific \"deny\" rules for canonical paths but allows other requests by default (a fallback \"allow\" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. The fix in version 1.79.3 ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy hardening.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:azure-storage-azcopy-10.32.2-1.1.aarch64",
"openSUSE Tumbleweed:azure-storage-azcopy-10.32.2-1.1.ppc64le",
"openSUSE Tumbleweed:azure-storage-azcopy-10.32.2-1.1.s390x",
"openSUSE Tumbleweed:azure-storage-azcopy-10.32.2-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-33186",
"url": "https://www.suse.com/security/cve/CVE-2026-33186"
},
{
"category": "external",
"summary": "SUSE Bug 1260085 for CVE-2026-33186",
"url": "https://bugzilla.suse.com/1260085"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:azure-storage-azcopy-10.32.2-1.1.aarch64",
"openSUSE Tumbleweed:azure-storage-azcopy-10.32.2-1.1.ppc64le",
"openSUSE Tumbleweed:azure-storage-azcopy-10.32.2-1.1.s390x",
"openSUSE Tumbleweed:azure-storage-azcopy-10.32.2-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:azure-storage-azcopy-10.32.2-1.1.aarch64",
"openSUSE Tumbleweed:azure-storage-azcopy-10.32.2-1.1.ppc64le",
"openSUSE Tumbleweed:azure-storage-azcopy-10.32.2-1.1.s390x",
"openSUSE Tumbleweed:azure-storage-azcopy-10.32.2-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-03-23T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-33186"
}
]
}
OPENSUSE-SU-2026:10419-1
Vulnerability from csaf_opensuse - Published: 2026-03-24 00:00 - Updated: 2026-03-24 00:00Summary
rclone-1.73.3-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: rclone-1.73.3-1.1 on GA media
Description of the patch: These are all security issues fixed in the rclone-1.73.3-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2026-10419
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
8.1 (High)
Affected products
Recommended
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:rclone-1.73.3-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:rclone-1.73.3-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:rclone-1.73.3-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:rclone-1.73.3-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:rclone-bash-completion-1.73.3-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:rclone-bash-completion-1.73.3-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:rclone-bash-completion-1.73.3-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:rclone-bash-completion-1.73.3-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:rclone-zsh-completion-1.73.3-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:rclone-zsh-completion-1.73.3-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:rclone-zsh-completion-1.73.3-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:rclone-zsh-completion-1.73.3-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
5 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "rclone-1.73.3-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the rclone-1.73.3-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2026-10419",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_10419-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-33186 page",
"url": "https://www.suse.com/security/cve/CVE-2026-33186/"
}
],
"title": "rclone-1.73.3-1.1 on GA media",
"tracking": {
"current_release_date": "2026-03-24T00:00:00Z",
"generator": {
"date": "2026-03-24T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2026:10419-1",
"initial_release_date": "2026-03-24T00:00:00Z",
"revision_history": [
{
"date": "2026-03-24T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "rclone-1.73.3-1.1.aarch64",
"product": {
"name": "rclone-1.73.3-1.1.aarch64",
"product_id": "rclone-1.73.3-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "rclone-bash-completion-1.73.3-1.1.aarch64",
"product": {
"name": "rclone-bash-completion-1.73.3-1.1.aarch64",
"product_id": "rclone-bash-completion-1.73.3-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "rclone-zsh-completion-1.73.3-1.1.aarch64",
"product": {
"name": "rclone-zsh-completion-1.73.3-1.1.aarch64",
"product_id": "rclone-zsh-completion-1.73.3-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "rclone-1.73.3-1.1.ppc64le",
"product": {
"name": "rclone-1.73.3-1.1.ppc64le",
"product_id": "rclone-1.73.3-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "rclone-bash-completion-1.73.3-1.1.ppc64le",
"product": {
"name": "rclone-bash-completion-1.73.3-1.1.ppc64le",
"product_id": "rclone-bash-completion-1.73.3-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "rclone-zsh-completion-1.73.3-1.1.ppc64le",
"product": {
"name": "rclone-zsh-completion-1.73.3-1.1.ppc64le",
"product_id": "rclone-zsh-completion-1.73.3-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "rclone-1.73.3-1.1.s390x",
"product": {
"name": "rclone-1.73.3-1.1.s390x",
"product_id": "rclone-1.73.3-1.1.s390x"
}
},
{
"category": "product_version",
"name": "rclone-bash-completion-1.73.3-1.1.s390x",
"product": {
"name": "rclone-bash-completion-1.73.3-1.1.s390x",
"product_id": "rclone-bash-completion-1.73.3-1.1.s390x"
}
},
{
"category": "product_version",
"name": "rclone-zsh-completion-1.73.3-1.1.s390x",
"product": {
"name": "rclone-zsh-completion-1.73.3-1.1.s390x",
"product_id": "rclone-zsh-completion-1.73.3-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "rclone-1.73.3-1.1.x86_64",
"product": {
"name": "rclone-1.73.3-1.1.x86_64",
"product_id": "rclone-1.73.3-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "rclone-bash-completion-1.73.3-1.1.x86_64",
"product": {
"name": "rclone-bash-completion-1.73.3-1.1.x86_64",
"product_id": "rclone-bash-completion-1.73.3-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "rclone-zsh-completion-1.73.3-1.1.x86_64",
"product": {
"name": "rclone-zsh-completion-1.73.3-1.1.x86_64",
"product_id": "rclone-zsh-completion-1.73.3-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "rclone-1.73.3-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:rclone-1.73.3-1.1.aarch64"
},
"product_reference": "rclone-1.73.3-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rclone-1.73.3-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:rclone-1.73.3-1.1.ppc64le"
},
"product_reference": "rclone-1.73.3-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rclone-1.73.3-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:rclone-1.73.3-1.1.s390x"
},
"product_reference": "rclone-1.73.3-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rclone-1.73.3-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:rclone-1.73.3-1.1.x86_64"
},
"product_reference": "rclone-1.73.3-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rclone-bash-completion-1.73.3-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:rclone-bash-completion-1.73.3-1.1.aarch64"
},
"product_reference": "rclone-bash-completion-1.73.3-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rclone-bash-completion-1.73.3-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:rclone-bash-completion-1.73.3-1.1.ppc64le"
},
"product_reference": "rclone-bash-completion-1.73.3-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rclone-bash-completion-1.73.3-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:rclone-bash-completion-1.73.3-1.1.s390x"
},
"product_reference": "rclone-bash-completion-1.73.3-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rclone-bash-completion-1.73.3-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:rclone-bash-completion-1.73.3-1.1.x86_64"
},
"product_reference": "rclone-bash-completion-1.73.3-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rclone-zsh-completion-1.73.3-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:rclone-zsh-completion-1.73.3-1.1.aarch64"
},
"product_reference": "rclone-zsh-completion-1.73.3-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rclone-zsh-completion-1.73.3-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:rclone-zsh-completion-1.73.3-1.1.ppc64le"
},
"product_reference": "rclone-zsh-completion-1.73.3-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rclone-zsh-completion-1.73.3-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:rclone-zsh-completion-1.73.3-1.1.s390x"
},
"product_reference": "rclone-zsh-completion-1.73.3-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rclone-zsh-completion-1.73.3-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:rclone-zsh-completion-1.73.3-1.1.x86_64"
},
"product_reference": "rclone-zsh-completion-1.73.3-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-33186",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-33186"
}
],
"notes": [
{
"category": "general",
"text": "gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, \"deny\" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback \"allow\" rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policy contains specific \"deny\" rules for canonical paths but allows other requests by default (a fallback \"allow\" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. The fix in version 1.79.3 ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy hardening.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:rclone-1.73.3-1.1.aarch64",
"openSUSE Tumbleweed:rclone-1.73.3-1.1.ppc64le",
"openSUSE Tumbleweed:rclone-1.73.3-1.1.s390x",
"openSUSE Tumbleweed:rclone-1.73.3-1.1.x86_64",
"openSUSE Tumbleweed:rclone-bash-completion-1.73.3-1.1.aarch64",
"openSUSE Tumbleweed:rclone-bash-completion-1.73.3-1.1.ppc64le",
"openSUSE Tumbleweed:rclone-bash-completion-1.73.3-1.1.s390x",
"openSUSE Tumbleweed:rclone-bash-completion-1.73.3-1.1.x86_64",
"openSUSE Tumbleweed:rclone-zsh-completion-1.73.3-1.1.aarch64",
"openSUSE Tumbleweed:rclone-zsh-completion-1.73.3-1.1.ppc64le",
"openSUSE Tumbleweed:rclone-zsh-completion-1.73.3-1.1.s390x",
"openSUSE Tumbleweed:rclone-zsh-completion-1.73.3-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-33186",
"url": "https://www.suse.com/security/cve/CVE-2026-33186"
},
{
"category": "external",
"summary": "SUSE Bug 1260085 for CVE-2026-33186",
"url": "https://bugzilla.suse.com/1260085"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:rclone-1.73.3-1.1.aarch64",
"openSUSE Tumbleweed:rclone-1.73.3-1.1.ppc64le",
"openSUSE Tumbleweed:rclone-1.73.3-1.1.s390x",
"openSUSE Tumbleweed:rclone-1.73.3-1.1.x86_64",
"openSUSE Tumbleweed:rclone-bash-completion-1.73.3-1.1.aarch64",
"openSUSE Tumbleweed:rclone-bash-completion-1.73.3-1.1.ppc64le",
"openSUSE Tumbleweed:rclone-bash-completion-1.73.3-1.1.s390x",
"openSUSE Tumbleweed:rclone-bash-completion-1.73.3-1.1.x86_64",
"openSUSE Tumbleweed:rclone-zsh-completion-1.73.3-1.1.aarch64",
"openSUSE Tumbleweed:rclone-zsh-completion-1.73.3-1.1.ppc64le",
"openSUSE Tumbleweed:rclone-zsh-completion-1.73.3-1.1.s390x",
"openSUSE Tumbleweed:rclone-zsh-completion-1.73.3-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:rclone-1.73.3-1.1.aarch64",
"openSUSE Tumbleweed:rclone-1.73.3-1.1.ppc64le",
"openSUSE Tumbleweed:rclone-1.73.3-1.1.s390x",
"openSUSE Tumbleweed:rclone-1.73.3-1.1.x86_64",
"openSUSE Tumbleweed:rclone-bash-completion-1.73.3-1.1.aarch64",
"openSUSE Tumbleweed:rclone-bash-completion-1.73.3-1.1.ppc64le",
"openSUSE Tumbleweed:rclone-bash-completion-1.73.3-1.1.s390x",
"openSUSE Tumbleweed:rclone-bash-completion-1.73.3-1.1.x86_64",
"openSUSE Tumbleweed:rclone-zsh-completion-1.73.3-1.1.aarch64",
"openSUSE Tumbleweed:rclone-zsh-completion-1.73.3-1.1.ppc64le",
"openSUSE Tumbleweed:rclone-zsh-completion-1.73.3-1.1.s390x",
"openSUSE Tumbleweed:rclone-zsh-completion-1.73.3-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-03-24T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-33186"
}
]
}
OPENSUSE-SU-2026:10420-1
Vulnerability from csaf_opensuse - Published: 2026-03-25 00:00 - Updated: 2026-03-25 00:00Summary
amazon-cloudwatch-agent-1.300064.0-2.1 on GA media
Severity
Moderate
Notes
Title of the patch: amazon-cloudwatch-agent-1.300064.0-2.1 on GA media
Description of the patch: These are all security issues fixed in the amazon-cloudwatch-agent-1.300064.0-2.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2026-10420
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
8.1 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:amazon-cloudwatch-agent-1.300064.0-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:amazon-cloudwatch-agent-1.300064.0-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:amazon-cloudwatch-agent-1.300064.0-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:amazon-cloudwatch-agent-1.300064.0-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
5 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "amazon-cloudwatch-agent-1.300064.0-2.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the amazon-cloudwatch-agent-1.300064.0-2.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2026-10420",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_10420-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-33186 page",
"url": "https://www.suse.com/security/cve/CVE-2026-33186/"
}
],
"title": "amazon-cloudwatch-agent-1.300064.0-2.1 on GA media",
"tracking": {
"current_release_date": "2026-03-25T00:00:00Z",
"generator": {
"date": "2026-03-25T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2026:10420-1",
"initial_release_date": "2026-03-25T00:00:00Z",
"revision_history": [
{
"date": "2026-03-25T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "amazon-cloudwatch-agent-1.300064.0-2.1.aarch64",
"product": {
"name": "amazon-cloudwatch-agent-1.300064.0-2.1.aarch64",
"product_id": "amazon-cloudwatch-agent-1.300064.0-2.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "amazon-cloudwatch-agent-1.300064.0-2.1.ppc64le",
"product": {
"name": "amazon-cloudwatch-agent-1.300064.0-2.1.ppc64le",
"product_id": "amazon-cloudwatch-agent-1.300064.0-2.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "amazon-cloudwatch-agent-1.300064.0-2.1.s390x",
"product": {
"name": "amazon-cloudwatch-agent-1.300064.0-2.1.s390x",
"product_id": "amazon-cloudwatch-agent-1.300064.0-2.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "amazon-cloudwatch-agent-1.300064.0-2.1.x86_64",
"product": {
"name": "amazon-cloudwatch-agent-1.300064.0-2.1.x86_64",
"product_id": "amazon-cloudwatch-agent-1.300064.0-2.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "amazon-cloudwatch-agent-1.300064.0-2.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:amazon-cloudwatch-agent-1.300064.0-2.1.aarch64"
},
"product_reference": "amazon-cloudwatch-agent-1.300064.0-2.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "amazon-cloudwatch-agent-1.300064.0-2.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:amazon-cloudwatch-agent-1.300064.0-2.1.ppc64le"
},
"product_reference": "amazon-cloudwatch-agent-1.300064.0-2.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "amazon-cloudwatch-agent-1.300064.0-2.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:amazon-cloudwatch-agent-1.300064.0-2.1.s390x"
},
"product_reference": "amazon-cloudwatch-agent-1.300064.0-2.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "amazon-cloudwatch-agent-1.300064.0-2.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:amazon-cloudwatch-agent-1.300064.0-2.1.x86_64"
},
"product_reference": "amazon-cloudwatch-agent-1.300064.0-2.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-33186",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-33186"
}
],
"notes": [
{
"category": "general",
"text": "gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, \"deny\" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback \"allow\" rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policy contains specific \"deny\" rules for canonical paths but allows other requests by default (a fallback \"allow\" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. The fix in version 1.79.3 ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy hardening.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:amazon-cloudwatch-agent-1.300064.0-2.1.aarch64",
"openSUSE Tumbleweed:amazon-cloudwatch-agent-1.300064.0-2.1.ppc64le",
"openSUSE Tumbleweed:amazon-cloudwatch-agent-1.300064.0-2.1.s390x",
"openSUSE Tumbleweed:amazon-cloudwatch-agent-1.300064.0-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-33186",
"url": "https://www.suse.com/security/cve/CVE-2026-33186"
},
{
"category": "external",
"summary": "SUSE Bug 1260085 for CVE-2026-33186",
"url": "https://bugzilla.suse.com/1260085"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:amazon-cloudwatch-agent-1.300064.0-2.1.aarch64",
"openSUSE Tumbleweed:amazon-cloudwatch-agent-1.300064.0-2.1.ppc64le",
"openSUSE Tumbleweed:amazon-cloudwatch-agent-1.300064.0-2.1.s390x",
"openSUSE Tumbleweed:amazon-cloudwatch-agent-1.300064.0-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:amazon-cloudwatch-agent-1.300064.0-2.1.aarch64",
"openSUSE Tumbleweed:amazon-cloudwatch-agent-1.300064.0-2.1.ppc64le",
"openSUSE Tumbleweed:amazon-cloudwatch-agent-1.300064.0-2.1.s390x",
"openSUSE Tumbleweed:amazon-cloudwatch-agent-1.300064.0-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-03-25T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-33186"
}
]
}
OPENSUSE-SU-2026:10432-1
Vulnerability from csaf_opensuse - Published: 2026-03-25 00:00 - Updated: 2026-03-25 00:00Summary
golang-github-v2fly-v2ray-core-5.47.0-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: golang-github-v2fly-v2ray-core-5.47.0-1.1 on GA media
Description of the patch: These are all security issues fixed in the golang-github-v2fly-v2ray-core-5.47.0-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2026-10432
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
8.1 (High)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:golang-github-v2fly-v2ray-core-5.47.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:golang-github-v2fly-v2ray-core-5.47.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:golang-github-v2fly-v2ray-core-5.47.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:golang-github-v2fly-v2ray-core-5.47.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:v2ray-core-5.47.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:v2ray-core-5.47.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:v2ray-core-5.47.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:v2ray-core-5.47.0-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
5 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "golang-github-v2fly-v2ray-core-5.47.0-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the golang-github-v2fly-v2ray-core-5.47.0-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2026-10432",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_10432-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-33186 page",
"url": "https://www.suse.com/security/cve/CVE-2026-33186/"
}
],
"title": "golang-github-v2fly-v2ray-core-5.47.0-1.1 on GA media",
"tracking": {
"current_release_date": "2026-03-25T00:00:00Z",
"generator": {
"date": "2026-03-25T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2026:10432-1",
"initial_release_date": "2026-03-25T00:00:00Z",
"revision_history": [
{
"date": "2026-03-25T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "golang-github-v2fly-v2ray-core-5.47.0-1.1.aarch64",
"product": {
"name": "golang-github-v2fly-v2ray-core-5.47.0-1.1.aarch64",
"product_id": "golang-github-v2fly-v2ray-core-5.47.0-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "v2ray-core-5.47.0-1.1.aarch64",
"product": {
"name": "v2ray-core-5.47.0-1.1.aarch64",
"product_id": "v2ray-core-5.47.0-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-github-v2fly-v2ray-core-5.47.0-1.1.ppc64le",
"product": {
"name": "golang-github-v2fly-v2ray-core-5.47.0-1.1.ppc64le",
"product_id": "golang-github-v2fly-v2ray-core-5.47.0-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "v2ray-core-5.47.0-1.1.ppc64le",
"product": {
"name": "v2ray-core-5.47.0-1.1.ppc64le",
"product_id": "v2ray-core-5.47.0-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-github-v2fly-v2ray-core-5.47.0-1.1.s390x",
"product": {
"name": "golang-github-v2fly-v2ray-core-5.47.0-1.1.s390x",
"product_id": "golang-github-v2fly-v2ray-core-5.47.0-1.1.s390x"
}
},
{
"category": "product_version",
"name": "v2ray-core-5.47.0-1.1.s390x",
"product": {
"name": "v2ray-core-5.47.0-1.1.s390x",
"product_id": "v2ray-core-5.47.0-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-github-v2fly-v2ray-core-5.47.0-1.1.x86_64",
"product": {
"name": "golang-github-v2fly-v2ray-core-5.47.0-1.1.x86_64",
"product_id": "golang-github-v2fly-v2ray-core-5.47.0-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "v2ray-core-5.47.0-1.1.x86_64",
"product": {
"name": "v2ray-core-5.47.0-1.1.x86_64",
"product_id": "v2ray-core-5.47.0-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-github-v2fly-v2ray-core-5.47.0-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:golang-github-v2fly-v2ray-core-5.47.0-1.1.aarch64"
},
"product_reference": "golang-github-v2fly-v2ray-core-5.47.0-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-github-v2fly-v2ray-core-5.47.0-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:golang-github-v2fly-v2ray-core-5.47.0-1.1.ppc64le"
},
"product_reference": "golang-github-v2fly-v2ray-core-5.47.0-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-github-v2fly-v2ray-core-5.47.0-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:golang-github-v2fly-v2ray-core-5.47.0-1.1.s390x"
},
"product_reference": "golang-github-v2fly-v2ray-core-5.47.0-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-github-v2fly-v2ray-core-5.47.0-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:golang-github-v2fly-v2ray-core-5.47.0-1.1.x86_64"
},
"product_reference": "golang-github-v2fly-v2ray-core-5.47.0-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "v2ray-core-5.47.0-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:v2ray-core-5.47.0-1.1.aarch64"
},
"product_reference": "v2ray-core-5.47.0-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "v2ray-core-5.47.0-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:v2ray-core-5.47.0-1.1.ppc64le"
},
"product_reference": "v2ray-core-5.47.0-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "v2ray-core-5.47.0-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:v2ray-core-5.47.0-1.1.s390x"
},
"product_reference": "v2ray-core-5.47.0-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "v2ray-core-5.47.0-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:v2ray-core-5.47.0-1.1.x86_64"
},
"product_reference": "v2ray-core-5.47.0-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-33186",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-33186"
}
],
"notes": [
{
"category": "general",
"text": "gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, \"deny\" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback \"allow\" rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policy contains specific \"deny\" rules for canonical paths but allows other requests by default (a fallback \"allow\" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. The fix in version 1.79.3 ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy hardening.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:golang-github-v2fly-v2ray-core-5.47.0-1.1.aarch64",
"openSUSE Tumbleweed:golang-github-v2fly-v2ray-core-5.47.0-1.1.ppc64le",
"openSUSE Tumbleweed:golang-github-v2fly-v2ray-core-5.47.0-1.1.s390x",
"openSUSE Tumbleweed:golang-github-v2fly-v2ray-core-5.47.0-1.1.x86_64",
"openSUSE Tumbleweed:v2ray-core-5.47.0-1.1.aarch64",
"openSUSE Tumbleweed:v2ray-core-5.47.0-1.1.ppc64le",
"openSUSE Tumbleweed:v2ray-core-5.47.0-1.1.s390x",
"openSUSE Tumbleweed:v2ray-core-5.47.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-33186",
"url": "https://www.suse.com/security/cve/CVE-2026-33186"
},
{
"category": "external",
"summary": "SUSE Bug 1260085 for CVE-2026-33186",
"url": "https://bugzilla.suse.com/1260085"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:golang-github-v2fly-v2ray-core-5.47.0-1.1.aarch64",
"openSUSE Tumbleweed:golang-github-v2fly-v2ray-core-5.47.0-1.1.ppc64le",
"openSUSE Tumbleweed:golang-github-v2fly-v2ray-core-5.47.0-1.1.s390x",
"openSUSE Tumbleweed:golang-github-v2fly-v2ray-core-5.47.0-1.1.x86_64",
"openSUSE Tumbleweed:v2ray-core-5.47.0-1.1.aarch64",
"openSUSE Tumbleweed:v2ray-core-5.47.0-1.1.ppc64le",
"openSUSE Tumbleweed:v2ray-core-5.47.0-1.1.s390x",
"openSUSE Tumbleweed:v2ray-core-5.47.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:golang-github-v2fly-v2ray-core-5.47.0-1.1.aarch64",
"openSUSE Tumbleweed:golang-github-v2fly-v2ray-core-5.47.0-1.1.ppc64le",
"openSUSE Tumbleweed:golang-github-v2fly-v2ray-core-5.47.0-1.1.s390x",
"openSUSE Tumbleweed:golang-github-v2fly-v2ray-core-5.47.0-1.1.x86_64",
"openSUSE Tumbleweed:v2ray-core-5.47.0-1.1.aarch64",
"openSUSE Tumbleweed:v2ray-core-5.47.0-1.1.ppc64le",
"openSUSE Tumbleweed:v2ray-core-5.47.0-1.1.s390x",
"openSUSE Tumbleweed:v2ray-core-5.47.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-03-25T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-33186"
}
]
}
OPENSUSE-SU-2026:10474-1
Vulnerability from csaf_opensuse - Published: 2026-04-01 00:00 - Updated: 2026-04-01 00:00Summary
ignition-2.26.0-3.1 on GA media
Severity
Moderate
Notes
Title of the patch: ignition-2.26.0-3.1 on GA media
Description of the patch: These are all security issues fixed in the ignition-2.26.0-3.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2026-10474
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
8.1 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:ignition-2.26.0-3.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ignition-2.26.0-3.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ignition-2.26.0-3.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ignition-2.26.0-3.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
5 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "ignition-2.26.0-3.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the ignition-2.26.0-3.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2026-10474",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_10474-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-33186 page",
"url": "https://www.suse.com/security/cve/CVE-2026-33186/"
}
],
"title": "ignition-2.26.0-3.1 on GA media",
"tracking": {
"current_release_date": "2026-04-01T00:00:00Z",
"generator": {
"date": "2026-04-01T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2026:10474-1",
"initial_release_date": "2026-04-01T00:00:00Z",
"revision_history": [
{
"date": "2026-04-01T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "ignition-2.26.0-3.1.aarch64",
"product": {
"name": "ignition-2.26.0-3.1.aarch64",
"product_id": "ignition-2.26.0-3.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "ignition-2.26.0-3.1.ppc64le",
"product": {
"name": "ignition-2.26.0-3.1.ppc64le",
"product_id": "ignition-2.26.0-3.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "ignition-2.26.0-3.1.s390x",
"product": {
"name": "ignition-2.26.0-3.1.s390x",
"product_id": "ignition-2.26.0-3.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "ignition-2.26.0-3.1.x86_64",
"product": {
"name": "ignition-2.26.0-3.1.x86_64",
"product_id": "ignition-2.26.0-3.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "ignition-2.26.0-3.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ignition-2.26.0-3.1.aarch64"
},
"product_reference": "ignition-2.26.0-3.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ignition-2.26.0-3.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ignition-2.26.0-3.1.ppc64le"
},
"product_reference": "ignition-2.26.0-3.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ignition-2.26.0-3.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ignition-2.26.0-3.1.s390x"
},
"product_reference": "ignition-2.26.0-3.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ignition-2.26.0-3.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ignition-2.26.0-3.1.x86_64"
},
"product_reference": "ignition-2.26.0-3.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-33186",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-33186"
}
],
"notes": [
{
"category": "general",
"text": "gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, \"deny\" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback \"allow\" rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policy contains specific \"deny\" rules for canonical paths but allows other requests by default (a fallback \"allow\" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. The fix in version 1.79.3 ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy hardening.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ignition-2.26.0-3.1.aarch64",
"openSUSE Tumbleweed:ignition-2.26.0-3.1.ppc64le",
"openSUSE Tumbleweed:ignition-2.26.0-3.1.s390x",
"openSUSE Tumbleweed:ignition-2.26.0-3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-33186",
"url": "https://www.suse.com/security/cve/CVE-2026-33186"
},
{
"category": "external",
"summary": "SUSE Bug 1260085 for CVE-2026-33186",
"url": "https://bugzilla.suse.com/1260085"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ignition-2.26.0-3.1.aarch64",
"openSUSE Tumbleweed:ignition-2.26.0-3.1.ppc64le",
"openSUSE Tumbleweed:ignition-2.26.0-3.1.s390x",
"openSUSE Tumbleweed:ignition-2.26.0-3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:ignition-2.26.0-3.1.aarch64",
"openSUSE Tumbleweed:ignition-2.26.0-3.1.ppc64le",
"openSUSE Tumbleweed:ignition-2.26.0-3.1.s390x",
"openSUSE Tumbleweed:ignition-2.26.0-3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-01T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-33186"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…