VDB
RHSA-2026%3A25183
RHSA-2026%3A25183
PUBLISHED
CVSS 9.100000381469727 CRITICAL
A flaw was found in gRPC-Go, the Go language implementation of gRPC. This vulnerability, an authorization bypass, is caused by improper input validation of the HTTP/2 `:path` pseudo-header. A remote attacker can exploit this by sending raw HTTP/2 frames with a malformed `:path` that omits the mandatory leading slash. This allows the attacker to bypass defined security policies, potentially leading to unauthorized access to services or information disclosure.
Risk Scores
CVSS 3.1
9.100000381469727
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Red Hat | registry.redhat.io/openshift4/rdma-cni-rhel9@sha256:66ff80ec62c5ca9acde62ec1959636c0838a4c3f743fe7fa7ee16cfa73b68ef6_arm64 as a component of Red Hat OpenShift Container Platform 4.18 | *, *, * |
| Red Hat | registry.redhat.io/openshift4/ose-cloud-event-proxy-rhel9@sha256:bbc22eb8e3c8b1a8b6e4c4c67a7de7029a663844b4a32d97ce4cb9409c6a7243_ppc64le as a component of Red Hat OpenShift Container Platform 4.18 | *, *, * |
| Red Hat | registry.redhat.io/openshift4/ose-clusterresourceoverride-rhel9@sha256:318a0790da610c038878f604984d2097fd343950c7a19be380c0eb93576ce149_amd64 as a component of Red Hat OpenShift Container Platform 4.18 | *, *, * |
| Red Hat | registry.redhat.io/openshift4/metallb-rhel9-operator@sha256:a7c7353f650032dca77642c03e019f51d03e0e53833cae3e4a8716e6aa5e3137_amd64 as a component of Red Hat OpenShift Container Platform 4.18 | *, *, * |
| Red Hat | registry.redhat.io/openshift4/metallb-rhel9@sha256:99045a0ec0103824cd7b15967ea1a24cbfa22895b8da40fe90cb7eb0b7c64db1_s390x as a component of Red Hat OpenShift Container Platform 4.18 | *, *, * |
| Red Hat | registry.redhat.io/openshift4/ose-local-storage-rhel9-operator@sha256:f81893728b3145fd8cf3124c8322152a39a6a6dcecc22c5635f708d70d6441e9_ppc64le as a component of Red Hat OpenShift Container Platform 4.18 | *, *, * |
| Red Hat | registry.redhat.io/openshift4/nmstate-console-plugin-rhel9@sha256:8e7193f7c19de6f69e9e8bf1195ff7127f5b457c77982dc0ea82aa9654b41295_amd64 as a component of Red Hat OpenShift Container Platform 4.18 | *, *, * |
| Red Hat | registry.redhat.io/openshift4/ptp-must-gather-rhel9@sha256:30105855d24dd4c3416e17eec9266e4caacbeeec9e36cc9e9ae1733af3002c6f_arm64 as a component of Red Hat OpenShift Container Platform 4.18 | *, *, * |
| Red Hat | registry.redhat.io/openshift4/ose-csi-livenessprobe-rhel9@sha256:35529853993d22db0e171ead911ad6be43aad6fb7412ad60cc8780dd041eeac6_amd64 as a component of Red Hat OpenShift Container Platform 4.18 | *, *, * |
| Red Hat | registry.redhat.io/openshift4/ose-clusterresourceoverride-rhel9@sha256:7d0ee426415366ae01e279d9d37910f512101d0ca3954fada90f7ef41c463623_ppc64le as a component of Red Hat OpenShift Container Platform 4.18 | *, *, * |
| Red Hat | registry.redhat.io/openshift4/ose-ptp-rhel9-operator@sha256:0d321b8b7557ac625caf6ad70ca1e67a1aaf7e32bcdf9ec3f11c13e19b87cfab_amd64 as a component of Red Hat OpenShift Container Platform 4.18 | *, *, * |
| Red Hat | registry.redhat.io/openshift4/ose-gcp-filestore-csi-driver-rhel9@sha256:b1bdce7ab2da5d78661deb28655869c3ef5b465c84deaed87f1051a9ff80de46_arm64 as a component of Red Hat OpenShift Container Platform 4.18 | *, *, * |
| Red Hat | registry.redhat.io/openshift4/ose-secrets-store-csi-mustgather-rhel9@sha256:64ef93e2a8693f00a5583436646d8521c681541e6272d014aad859d667883f8e_amd64 as a component of Red Hat OpenShift Container Platform 4.18 | *, *, * |
| Red Hat | registry.redhat.io/openshift4/ose-ansible-rhel9-operator@sha256:03bae849f44c05a66cc12a3e7ec69cf462de8229a81790d0bbed26bf58fb7818_s390x as a component of Red Hat OpenShift Container Platform 4.18 | *, *, * |
| Red Hat | registry.redhat.io/openshift4/ose-sriov-network-webhook-rhel9@sha256:555200bcc71ee842a5589e5aeb0b933967fb694b3fe54c5837b827cf05dd520f_arm64 as a component of Red Hat OpenShift Container Platform 4.18 | *, *, * |
| Red Hat | registry.redhat.io/openshift4/ose-kubernetes-nmstate-handler-rhel9@sha256:ce32166f81967cc551375285d9659c4511888a843e825165e53264bda6d29735_ppc64le as a component of Red Hat OpenShift Container Platform 4.18 | *, *, * |
| Red Hat | registry.redhat.io/openshift4/kubernetes-nmstate-rhel9-operator@sha256:36282ae55143491dd562a82d206bc2e9ea8d4f5efefe3197451f1c539ad7f7f5_ppc64le as a component of Red Hat OpenShift Container Platform 4.18 | *, *, * |
| Red Hat | registry.redhat.io/openshift4/ose-operator-sdk-rhel9@sha256:df25d8f43c3c350e69df77cfc30a3bd7305ed33640cf75c902bc6042d78119b6_s390x as a component of Red Hat OpenShift Container Platform 4.18 | *, *, * |
| Red Hat | registry.redhat.io/openshift4/ose-dpu-cni-rhel9@sha256:05c6827b78a5be71ae14dbd308cad44b474fd45396a0a275070615123845dc83_amd64 as a component of Red Hat OpenShift Container Platform 4.18 | *, *, * |
| Red Hat | registry.redhat.io/openshift4/ose-sriov-dp-admission-controller-rhel9@sha256:51b605ad52f3f2e716c3cbe0f1b39657713ef1f908ec3fa96f6ef9bcd06929fd_arm64 as a component of Red Hat OpenShift Container Platform 4.18 | *, *, * |
…and 186 more
Timeline
- Jun 17, 2026 CVE Published
- Jun 17, 2026 Distribution Patch
- Jun 17, 2026 Distribution Patch
- Jun 17, 2026 Security Advisory
- Jun 17, 2026 Security Advisory
- Jul 15, 2026 CVE Updated
References
- https://access.redhat.com/errata/RHSA-2026:25183 advisory
- https://access.redhat.com/security/cve/CVE-2026-33186 advisory
- https://access.redhat.com/security/updates/classification/ advisory
- https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_25183.json advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2449833 issue
- https://www.cve.org/CVERecord?id=CVE-2026-33186 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-33186 advisory
- https://github.com/grpc/grpc-go/security/advisories/GHSA-p77j-4mvh-x3m3 advisory