seclog: GO-2026-4762

[lucabello]

Summary

The chaos server seems to be affected by vulnerability GO-2026-4762 (also known as CVE-2026-33186).

It is an Authorization Bypass resulting from Improper Input Validation of the HTTP/2 :path pseudo-header.

More information is available in the GitHub advisory linked above.

Details

Running govulncheck ./... | grep -i grpc -C3 shows the following code paths are involved:

Vulnerability #3: GO-2026-4762
    Authorization bypass in gRPC-Go via missing leading slash in :path in
    google.golang.org/grpc
  More info: https://pkg.go.dev/vuln/GO-2026-4762
  Module: google.golang.org/grpc
    Found in: google.golang.org/grpc@v1.64.1
    Fixed in: google.golang.org/grpc@v1.79.3
    Example traces found:
      #1: server.go:246:28: server.startGRPCServerWithTLS calls grpc.Server.Serve

PoC

As described above, run:

just govulncheck ./... | grep -i grpc -C3

Impact

Quoting from the GitHub advisory I linked above:

Who is impacted?
This affects gRPC-Go servers that meet both of the following criteria:

1. They use path-based authorization interceptors, such as the official RBAC implementation in google.golang.org/grpc/authz or custom interceptors relying on info.FullMethod or grpc.Method(ctx).
2. Their security policy contains specific "deny" rules for canonical paths but allows other requests by default (a fallback "allow" rule).
   The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed :path headers directly to the gRPC server.

Remediation

Upgrade the dependency to (at least) the first non-vulnerable version, which would be 1.79.3 as shown in the GitHub advisory linked above.

[PietroPasotti]

I took the liberty of proposing a patch for this #5490