Listen to this Post
The vulnerability stems from Traefik’s dependency on a vulnerable version of gRPC-Go (CVE-2026-33186). In gRPC-Go, the HTTP/2 `:path` pseudo‑header is expected to start with a slash (e.g., /Service/Method). When an attacker sends a request with a malformed `:path` that omits the leading slash (e.g., Service/Method), the gRPC‑Go server internally routes the request correctly—matching the intended service and method. However, path‑based authorization interceptors (such as those used in Traefik’s middleware) evaluate the raw, non‑canonical path string. Because the interceptor sees `Service/Method` instead of /Service/Method, any “deny” rule defined for the canonical path does not trigger. If a fallback “allow” rule exists, the request is granted access, effectively bypassing the intended authorization policy. Traefik versions prior to 3.6.11 and 2.11.41 incorporate the affected gRPC‑Go versions (before the fix). Patches update the gRPC‑Go dependency to a corrected release that normalizes the `:path` header before authorization checks, ensuring that deny rules are properly matched regardless of the leading slash.
dailycve form:
Platform: Traefik
Version: <3.6.11,<2.11.41
Vulnerability: Authorization bypass via :path
Severity: Critical
date: 2026-03-30
Prediction: Already patched (upgrade)
What Undercode Say:
Check Traefik version (if running as binary) traefik version For containerized deployments, inspect image tag docker inspect traefik:latest | grep -i version Verify vulnerable gRPC-Go dependency in source build grep "google.golang.org/grpc" go.mod Simulate malformed :path request (requires grpcurl) grpcurl -vv -H ":path: Service/Method" -plaintext localhost:8080 my.package.Service/Method Upgrade to patched version For Traefik v2: use v2.11.41 or later For Traefik v3: use v3.6.11 or later
Exploit:
An unauthenticated attacker sends a gRPC request with the `:path` pseudo‑header set to `Service/Method` (no leading slash) to a Traefik instance that uses a path‑based authorization middleware with a “deny” rule for `/Service/Method` and a default “allow” rule. The request is routed to the correct backend but the deny rule is never evaluated, so the request is permitted.
Protection from this CVE:
Upgrade Traefik to version 3.6.11 or 2.11.41 (or newer). If building from source, update the `google.golang.org/grpc` dependency to a version that includes the fix (v1.71.1 or later). Alternatively, avoid relying solely on path‑based deny rules; use additional authorization layers that are not affected by this normalization mismatch.
Impact:
Successful exploitation allows an attacker to bypass path‑based authorization rules, potentially gaining unauthorized access to gRPC services that should be restricted. This can lead to information disclosure, unauthorized actions, or privilege escalation depending on the exposed gRPC endpoints.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

