VDB
RHSA-2026%3A26999
RHSA-2026%3A26999
PUBLISHED
CVSS 9.100000381469727 CRITICAL
A flaw was found in gRPC-Go, the Go language implementation of gRPC. This vulnerability, an authorization bypass, is caused by improper input validation of the HTTP/2 `:path` pseudo-header. A remote attacker can exploit this by sending raw HTTP/2 frames with a malformed `:path` that omits the mandatory leading slash. This allows the attacker to bypass defined security policies, potentially leading to unauthorized access to services or information disclosure.
Risk Scores
CVSS 3.1
9.100000381469727
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Red Hat | kernel-rt-64k-debug-modules-core-0:5.14.0-570.122.1.el9_6.aarch64 as a component of Red Hat OpenShift Container Platform 4.19 | 5.14.0-570.122.1.el9, 5.14.0-570.122.1.el9, 5.14.0-570.122.1.el9 |
| Red Hat | rv-0:5.14.0-570.122.1.el9_6.aarch64 as a component of Red Hat OpenShift Container Platform 4.19 | 5.14.0-570.122.1.el9, 5.14.0-570.122.1.el9, 5.14.0-570.122.1.el9 |
| Red Hat | kernel-64k-modules-core-0:5.14.0-570.122.1.el9_6.aarch64 as a component of Red Hat OpenShift Container Platform 4.19 | 5.14.0-570.122.1.el9, 5.14.0-570.122.1.el9, 5.14.0-570.122.1.el9 |
| Red Hat | kernel-0:5.14.0-570.122.1.el9_6.x86_64 as a component of Red Hat OpenShift Container Platform 4.19 | 5.14.0-570.122.1.el9, 5.14.0-570.122.1.el9, 5.14.0-570.122.1.el9 |
| Red Hat | kernel-modules-partner-0:5.14.0-570.122.1.el9_6.s390x as a component of Red Hat OpenShift Container Platform 4.19 | 5.14.0-570.122.1.el9, 5.14.0-570.122.1.el9, 5.14.0-570.122.1.el9 |
| Red Hat | rtla-0:5.14.0-570.122.1.el9_6.aarch64 as a component of Red Hat OpenShift Container Platform 4.19 | 5.14.0-570.122.1.el9, 5.14.0-570.122.1.el9, 5.14.0-570.122.1.el9 |
| Red Hat | libperf-0:5.14.0-570.122.1.el9_6.s390x as a component of Red Hat OpenShift Container Platform 4.19 | 5.14.0-570.122.1.el9, 5.14.0-570.122.1.el9, 5.14.0-570.122.1.el9 |
| Red Hat | kernel-modules-0:5.14.0-570.122.1.el9_6.s390x as a component of Red Hat OpenShift Container Platform 4.19 | 5.14.0-570.122.1.el9, 5.14.0-570.122.1.el9, 5.14.0-570.122.1.el9 |
| Red Hat | kernel-rt-debug-core-0:5.14.0-570.122.1.el9_6.x86_64 as a component of Red Hat OpenShift Container Platform 4.19 | 5.14.0-570.122.1.el9, 5.14.0-570.122.1.el9, 5.14.0-570.122.1.el9 |
| Red Hat | perf-0:5.14.0-570.122.1.el9_6.x86_64 as a component of Red Hat OpenShift Container Platform 4.19 | 5.14.0-570.122.1.el9, 5.14.0-570.122.1.el9, 5.14.0-570.122.1.el9 |
| Red Hat | kernel-devel-matched-0:5.14.0-570.122.1.el9_6.s390x as a component of Red Hat OpenShift Container Platform 4.19 | 5.14.0-570.122.1.el9, 5.14.0-570.122.1.el9, 5.14.0-570.122.1.el9 |
| Red Hat | kernel-zfcpdump-modules-internal-0:5.14.0-570.122.1.el9_6.s390x as a component of Red Hat OpenShift Container Platform 4.19 | 5.14.0-570.122.1.el9, 5.14.0-570.122.1.el9, 5.14.0-570.122.1.el9 |
| Red Hat | kernel-debug-devel-matched-0:5.14.0-570.122.1.el9_6.aarch64 as a component of Red Hat OpenShift Container Platform 4.19 | 5.14.0-570.122.1.el9, 5.14.0-570.122.1.el9, 5.14.0-570.122.1.el9 |
| Red Hat | kernel-debug-0:5.14.0-570.122.1.el9_6.ppc64le as a component of Red Hat OpenShift Container Platform 4.19 | 5.14.0-570.122.1.el9, 5.14.0-570.122.1.el9, 5.14.0-570.122.1.el9 |
| Red Hat | ose-azure-acr-image-credential-provider-0:4.19.0-202606111920.p2.g6282230.assembly.stream.el9.s390x as a component of Red Hat OpenShift Container Platform 4.19 | 4.19.0-202606111920.p2.g6282230.assembly.stream.el9.s390x, 4.19.0-202606111920.p2.g6282230.assembly.stream.el9.s390x, 4.19.0-202606111920.p2.g6282230.assembly.stream.el9.s390x |
| Red Hat | kernel-tools-libs-devel-0:5.14.0-570.122.1.el9_6.x86_64 as a component of Red Hat OpenShift Container Platform 4.19 | 5.14.0-570.122.1.el9, 5.14.0-570.122.1.el9, 5.14.0-570.122.1.el9 |
| Red Hat | kernel-devel-0:5.14.0-570.122.1.el9_6.x86_64 as a component of Red Hat OpenShift Container Platform 4.19 | 5.14.0-570.122.1.el9, 5.14.0-570.122.1.el9, 5.14.0-570.122.1.el9 |
| Red Hat | kernel-modules-core-0:5.14.0-570.122.1.el9_6.x86_64 as a component of Red Hat OpenShift Container Platform 4.19 | 5.14.0-570.122.1.el9, 5.14.0-570.122.1.el9, 5.14.0-570.122.1.el9 |
| Red Hat | kernel-debuginfo-0:5.14.0-570.122.1.el9_6.s390x as a component of Red Hat OpenShift Container Platform 4.19 | 5.14.0-570.122.1.el9, 5.14.0-570.122.1.el9, 5.14.0-570.122.1.el9 |
| Red Hat | ose-azure-acr-image-credential-provider-0:4.19.0-202606111920.p2.g6282230.assembly.stream.el9.aarch64 as a component of Red Hat OpenShift Container Platform 4.19 | 4.19.0-202606111920.p2.g6282230.assembly.stream.el9.aarch64, 4.19.0-202606111920.p2.g6282230.assembly.stream.el9.aarch64, 4.19.0-202606111920.p2.g6282230.assembly.stream.el9.aarch64 |
…and 231 more
Timeline
- Jun 24, 2026 CVE Published
- Jun 26, 2026 Distribution Patch
- Jun 26, 2026 Distribution Patch
- Jun 26, 2026 Security Advisory
- Jun 26, 2026 Security Advisory
- Jul 15, 2026 CVE Updated
References
- https://access.redhat.com/errata/RHSA-2026:26999 advisory
- https://access.redhat.com/security/updates/classification/#important advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2449833 issue
- https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_26999.json advisory
- https://access.redhat.com/security/cve/CVE-2026-33186 advisory
- https://www.cve.org/CVERecord?id=CVE-2026-33186 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-33186 advisory
- https://github.com/grpc/grpc-go/security/advisories/GHSA-p77j-4mvh-x3m3 advisory