Traefik gRPC Deny Rule Bypass Vulnerability (CVE-2026-33186)
A remote, unauthenticated attacker can bypass Traefik deny rules by sending malformed gRPC requests with a missing leading slash in the `:path` pseudo-header, exploiting a vulnerability in the gRPC-Go dependency, leading to unauthorized access if a fallback "allow" rule is configured.
Traefik, a popular reverse proxy and load balancer, is susceptible to a denial rule bypass (CVE-2026-33186) due to a flaw in its gRPC-Go dependency. This vulnerability affects Traefik versions prior to 2.11.42, versions 3.0.0-beta3 through 3.6.11, and versions 3.7.0-ea.1 through 3.7.0-ea.3. An unauthenticated attacker can exploit this by sending gRPC requests with a malformed HTTP/2 :path pseudo-header that omits the leading slash (e.g., Service/Method instead of /Service/Method). While…
Detection coverage 2
Detect Traefik gRPC Path Bypass Attempt
highDetects attempts to bypass Traefik's authorization by sending gRPC requests with a malformed :path header (missing leading slash).
Detect Traefik gRPC Path Bypass Attempt - HTTP Method Check
highDetects attempts to bypass Traefik's authorization by sending gRPC requests with a malformed :path header, also checking for POST method.
Detection queries are kept inside the platform. Get full rules →