DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-46WH-3698-F2CX: CVE-2026-33186: Deny Rule Bypass in Traefik via gRPC-Go Path Canonicalization Flaw

#security #cve #cybersecurity #ghsa

CVE-2026-33186: Deny Rule Bypass in Traefik via gRPC-Go Path Canonicalization Flaw

Vulnerability ID: GHSA-46WH-3698-F2CX
CVSS Score: 9.3
Published: 2026-03-29

A critical authorization bypass vulnerability exists in Traefik due to improper path normalization in its underlying gRPC-Go dependency (CVE-2026-33186). Unauthenticated attackers can bypass configured deny rules by sending maliciously crafted gRPC requests over HTTP/2 that omit the mandatory leading slash in the :path pseudo-header. This canonicalization mismatch allows unauthorized access to protected services.

TL;DR

Traefik and gRPC-Go fail to properly normalize HTTP/2 :path headers, allowing unauthenticated attackers to bypass authorization deny rules by omitting the leading slash in the request path.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-863
  • Attack Vector: Network
  • CVSS Score: 9.3
  • Impact: Authorization Bypass
  • Exploit Status: PoC Available
  • Authentication: Not Required

Affected Systems

  • Traefik v2
  • Traefik v3
  • Traefik v3 (EA)
  • gRPC-Go (google.golang.org/grpc)
  • Traefik v2: < 2.11.42 (Fixed in: 2.11.42)
  • Traefik v3: < 3.6.12 (Fixed in: 3.6.12)
  • Traefik v3 (EA): < 3.7.0-ea.3 (Fixed in: 3.7.0-ea.3)
  • gRPC-Go: < 1.79.3 (Fixed in: 1.79.3)

Code Analysis

Commit: 72186f1

Enforce strict leading slash in HTTP/2 :path header to prevent authorization bypass

Exploit Details

  • gRPC-Go Test Suite: Unit test demonstrating the bypass by omitting the leading slash in the HTTP/2 HEADERS frame.

Mitigation Strategies

  • Update Traefik to version 2.11.42, 3.6.12, or 3.7.0-ea.3
  • Update google.golang.org/grpc to version 1.79.3
  • Ensure GRPC_GO_EXPERIMENTAL_DISABLE_STRICT_PATH_CHECKING is not set to true
  • Implement WAF rules to reject HTTP/2 requests with gRPC content types that lack a leading slash in the :path header

Remediation Steps:

  1. Audit all deployments of Traefik and identify the running versions.
  2. Schedule emergency maintenance windows to deploy the updated Traefik binaries.
  3. For custom applications, update the go.mod file to require google.golang.org/grpc v1.79.3 or higher.
  4. Run go mod tidy and recompile the affected applications.
  5. Deploy the recompiled applications and verify normal gRPC communication.
  6. Review environment variable configurations to guarantee GRPC_GO_EXPERIMENTAL_DISABLE_STRICT_PATH_CHECKING is absent.

References

Read the full report for GHSA-46WH-3698-F2CX on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)