VDB
RHSA-2026%3A14775
RHSA-2026%3A14775
PUBLISHED
CVSS 9.100000381469727 CRITICAL
A flaw was found in gRPC-Go, the Go language implementation of gRPC. This vulnerability, an authorization bypass, is caused by improper input validation of the HTTP/2 `:path` pseudo-header. A remote attacker can exploit this by sending raw HTTP/2 frames with a malformed `:path` that omits the mandatory leading slash. This allows the attacker to bypass defined security policies, potentially leading to unauthorized access to services or information disclosure.
Risk Scores
CVSS 3.1
9.100000381469727
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Red Hat | registry.redhat.io/openshift4/ose-csi-driver-shared-resource-mustgather-rhel8@sha256:6c3605543dacd227ee1db6edb486707bce9680b12f02cb3ae171aa0b96a6bd62_ppc64le as a component of Red Hat OpenShift Container Platform 4.15 | *, *, * |
| Red Hat | registry.redhat.io/openshift4/ingress-node-firewall-rhel9@sha256:aab9c8ef47d1e7fd1aa22add79a054d2a346447696d1e06a4863718ea2b727c6_amd64 as a component of Red Hat OpenShift Container Platform 4.15 | *, *, * |
| Red Hat | registry.redhat.io/openshift4/ingress-node-firewall-rhel9@sha256:51831cdc6ef63fda135cd70c4bc62c156a0b7ca74ef1362fb185d1724561aa6f_s390x as a component of Red Hat OpenShift Container Platform 4.15 | *, *, * |
| Red Hat | registry.redhat.io/openshift4/ingress-node-firewall-rhel9-operator@sha256:d06946df9ff9d46bc81ced4be0b3ab0ba9ecbfc33d0ccc7d66dcabc541877968_amd64 as a component of Red Hat OpenShift Container Platform 4.15 | *, *, * |
| Red Hat | registry.redhat.io/openshift4/ose-baremetal-cluster-api-controllers-rhel9@sha256:b3b04515ca5278b2170d379964be00ad06683d9bf480a76833119e54793f2160_ppc64le as a component of Red Hat OpenShift Container Platform 4.15 | *, *, * |
| Red Hat | registry.redhat.io/openshift4/ose-sriov-infiniband-cni-rhel9@sha256:b747df733aebd6c5e1fad3601fd3f63a439e1ccd37ef0466a5695b0d5cea2812_ppc64le as a component of Red Hat OpenShift Container Platform 4.15 | *, *, * |
| Red Hat | registry.redhat.io/openshift4/ose-ptp-rhel9-operator@sha256:188b0c74026073c1982ac4e470d8cdf61c5f18e418fe39c644099e2f84699817_arm64 as a component of Red Hat OpenShift Container Platform 4.15 | *, *, * |
| Red Hat | registry.redhat.io/openshift4/ose-gcp-filestore-csi-driver-rhel8@sha256:d8e5e61e5afdbb9f550fb0a068b57948947151fc61369efc9a950d35cc0637dd_arm64 as a component of Red Hat OpenShift Container Platform 4.15 | *, *, * |
| Red Hat | registry.redhat.io/openshift4/ose-egress-dns-proxy@sha256:47065087b4f1a8dfae1dd426a26e44a505dafbfa1e4cf8741dbd5bfedc2d23da_amd64 as a component of Red Hat OpenShift Container Platform 4.15 | *, *, * |
| Red Hat | registry.redhat.io/openshift4/metallb-rhel9-operator@sha256:11afd173704d838825ff151117d2e85048e8a2856e2a87c21709f3ec960f0e8f_s390x as a component of Red Hat OpenShift Container Platform 4.15 | *, *, * |
| Red Hat | registry.redhat.io/openshift4/ose-sriov-network-webhook-rhel9@sha256:5f45987e03ee4bb554e5b3d5ec1b808f178de4f011ffd74b367df429d8f975e4_amd64 as a component of Red Hat OpenShift Container Platform 4.15 | *, *, * |
| Red Hat | registry.redhat.io/openshift4/sriov-cni-rhel9@sha256:1c8098fdfc4c9c28d472fb63d922f5331df1a4e1d5977295c7ab208f6a5b0e01_ppc64le as a component of Red Hat OpenShift Container Platform 4.15 | *, *, * |
| Red Hat | registry.redhat.io/openshift4/ose-cluster-capacity@sha256:32fb0b26f0765527562b3f08741547fbf9d6118e12e5775e767e811dfb283507_ppc64le as a component of Red Hat OpenShift Container Platform 4.15 | *, *, * |
| Red Hat | registry.redhat.io/openshift4/ose-local-storage-rhel9-operator@sha256:1cc137f0b07e4f4221da18bc20810273cae2e7e2360700646c8c10e2d2e8d533_ppc64le as a component of Red Hat OpenShift Container Platform 4.15 | *, *, * |
| Red Hat | registry.redhat.io/openshift4/ose-secrets-store-csi-mustgather-rhel8@sha256:9be2cc40367502f846d80e762404bd3eb1e2195dd096dfb435a0af80173dadce_ppc64le as a component of Red Hat OpenShift Container Platform 4.15 | *, *, * |
| Red Hat | registry.redhat.io/openshift4/ose-clusterresourceoverride-rhel9@sha256:b139a97bd12890f03e7b0040e54e525bcaf54b4fc76e64c4a4df1ca1fb300b83_ppc64le as a component of Red Hat OpenShift Container Platform 4.15 | *, *, * |
| Red Hat | registry.redhat.io/openshift4/ose-baremetal-cluster-api-controllers-rhel9@sha256:503493ec18e19701c35e5b3e4478ce514ec64567d081dd0a5c73bdd9f74bc0a7_amd64 as a component of Red Hat OpenShift Container Platform 4.15 | *, *, * |
| Red Hat | registry.redhat.io/openshift4/ose-operator-sdk-rhel8@sha256:98ddacac8c30bd70aa2fa55a9351b2986ecd66267cd7e3ba1a98c9f0d20a7053_arm64 as a component of Red Hat OpenShift Container Platform 4.15 | *, *, * |
| Red Hat | registry.redhat.io/openshift4/ose-sriov-network-rhel9-operator@sha256:740f5a8917483864b73b160137b7c0da1a61efa44785790ca1d2891ca261ee17_amd64 as a component of Red Hat OpenShift Container Platform 4.15 | *, *, * |
| Red Hat | registry.redhat.io/openshift4/ose-local-storage-rhel9-operator@sha256:c01521752f051079fbfe4d0c65a640bd0e2beaba8c4232007695652622869223_amd64 as a component of Red Hat OpenShift Container Platform 4.15 | *, *, * |
…and 147 more
Timeline
- May 13, 2026 CVE Published
- May 15, 2026 Distribution Patch
- May 15, 2026 Distribution Patch
- May 15, 2026 Security Advisory
- May 15, 2026 Security Advisory
- Jul 15, 2026 CVE Updated
References
- https://access.redhat.com/errata/RHSA-2026:14775 advisory
- https://access.redhat.com/security/cve/CVE-2026-33186 advisory
- https://access.redhat.com/security/updates/classification/ advisory
- https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_14775.json advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2449833 issue
- https://www.cve.org/CVERecord?id=CVE-2026-33186 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-33186 advisory
- https://github.com/grpc/grpc-go/security/advisories/GHSA-p77j-4mvh-x3m3 advisory