VDB

RHSA-2026%3A24535

RHSA-2026%3A24535 PUBLISHED CVSS 9.100000381469727 CRITICAL

A flaw was found in gRPC-Go, the Go language implementation of gRPC. This vulnerability, an authorization bypass, is caused by improper input validation of the HTTP/2 `:path` pseudo-header. A remote attacker can exploit this by sending raw HTTP/2 frames with a malformed `:path` that omits the mandatory leading slash. This allows the attacker to bypass defined security policies, potentially leading to unauthorized access to services or information disclosure.

Risk Scores

CVSS 3.1
9.100000381469727
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Affected Products

VendorProductVersions
Red Hatregistry.redhat.io/openshift4/lifecycle-agent-rhel9-operator@sha256:0c2894cb04a5cd4fbb0f944c946278a3921b1b9b88e6f82cfcf9d26594b595d1_arm64 as a component of Red Hat OpenShift Container Platform 4.20*, *, *
Red HatOpenShift Container Platform 4.20
Red HatOpenShift Container Platform
Red Hatregistry.redhat.io/openshift4/recert-rhel9@sha256:d05ff0fc7fbf384bfe09e461d0039921295935e26206e7b9ead58eb53086c3db_amd64 as a component of Red Hat OpenShift Container Platform 4.20*, *, *
Red Hatregistry.redhat.io/openshift4/lifecycle-agent-operator-bundle@sha256:d58fcab5a50f6df010b50ca86346e082ce355f3ac4fa6f8dd1606a0522cbc743_amd64
Red Hatregistry.redhat.io/openshift4/recert-rhel9@sha256:7fbd77831e69c22e0c6a2bb310b25cd79fc4eeff30a5721e9ef84809937476c0_arm64 as a component of Red Hat OpenShift Container Platform 4.20*, *, *
Red Hatregistry.redhat.io/openshift4/lifecycle-agent-rhel9-operator@sha256:47db1a245c9f18162fb93e9fc9ae6513b7858a151c51bbd0d89b026e55d40f0d_amd64 as a component of Red Hat OpenShift Container Platform 4.20*, *, *
Red Hatlifecycle-agent-operator-bundle
Red Hatregistry.redhat.io/openshift4/lifecycle-agent-operator-bundle@sha256:d58fcab5a50f6df010b50ca86346e082ce355f3ac4fa6f8dd1606a0522cbc743_amd64 as a component of Red Hat OpenShift Container Platform 4.20*, *, *

Timeline

  • Jun 8, 2026 CVE Published
  • Jun 9, 2026 Distribution Patch
  • Jun 9, 2026 Distribution Patch
  • Jun 9, 2026 Security Advisory
  • Jun 9, 2026 Security Advisory
  • Jul 15, 2026 CVE Updated
Open in Interactive Console →
$ Console Community · 100/wk Open console ›