VDB
RHSA-2026%3A24535
RHSA-2026%3A24535
PUBLISHED
CVSS 9.100000381469727 CRITICAL
A flaw was found in gRPC-Go, the Go language implementation of gRPC. This vulnerability, an authorization bypass, is caused by improper input validation of the HTTP/2 `:path` pseudo-header. A remote attacker can exploit this by sending raw HTTP/2 frames with a malformed `:path` that omits the mandatory leading slash. This allows the attacker to bypass defined security policies, potentially leading to unauthorized access to services or information disclosure.
Risk Scores
CVSS 3.1
9.100000381469727
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Red Hat | registry.redhat.io/openshift4/lifecycle-agent-rhel9-operator@sha256:0c2894cb04a5cd4fbb0f944c946278a3921b1b9b88e6f82cfcf9d26594b595d1_arm64 as a component of Red Hat OpenShift Container Platform 4.20 | *, *, * |
| Red Hat | OpenShift Container Platform 4.20 | |
| Red Hat | OpenShift Container Platform | |
| Red Hat | registry.redhat.io/openshift4/recert-rhel9@sha256:d05ff0fc7fbf384bfe09e461d0039921295935e26206e7b9ead58eb53086c3db_amd64 as a component of Red Hat OpenShift Container Platform 4.20 | *, *, * |
| Red Hat | registry.redhat.io/openshift4/lifecycle-agent-operator-bundle@sha256:d58fcab5a50f6df010b50ca86346e082ce355f3ac4fa6f8dd1606a0522cbc743_amd64 | |
| Red Hat | registry.redhat.io/openshift4/recert-rhel9@sha256:7fbd77831e69c22e0c6a2bb310b25cd79fc4eeff30a5721e9ef84809937476c0_arm64 as a component of Red Hat OpenShift Container Platform 4.20 | *, *, * |
| Red Hat | registry.redhat.io/openshift4/lifecycle-agent-rhel9-operator@sha256:47db1a245c9f18162fb93e9fc9ae6513b7858a151c51bbd0d89b026e55d40f0d_amd64 as a component of Red Hat OpenShift Container Platform 4.20 | *, *, * |
| Red Hat | lifecycle-agent-operator-bundle | |
| Red Hat | registry.redhat.io/openshift4/lifecycle-agent-operator-bundle@sha256:d58fcab5a50f6df010b50ca86346e082ce355f3ac4fa6f8dd1606a0522cbc743_amd64 as a component of Red Hat OpenShift Container Platform 4.20 | *, *, * |
Timeline
- Jun 8, 2026 CVE Published
- Jun 9, 2026 Distribution Patch
- Jun 9, 2026 Distribution Patch
- Jun 9, 2026 Security Advisory
- Jun 9, 2026 Security Advisory
- Jul 15, 2026 CVE Updated
References
- https://access.redhat.com/errata/RHSA-2026:24535 advisory
- https://access.redhat.com/security/cve/CVE-2026-33186 advisory
- https://access.redhat.com/security/updates/classification/ advisory
- https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_24535.json advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2449833 issue
- https://www.cve.org/CVERecord?id=CVE-2026-33186 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-33186 advisory
- https://github.com/grpc/grpc-go/security/advisories/GHSA-p77j-4mvh-x3m3 advisory