https://feed.craftedsignal.io/tags/cve-2026-33186/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioSun, 29 Mar 2026 15:37:47 +0000https://feed.craftedsignal.io/briefs/2026-04-traefik-grpc-bypass/Sun, 29 Mar 2026 15:37:47 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-traefik-grpc-bypass/A remote, unauthenticated attacker can bypass Traefik deny rules by sending malformed gRPC requests with a missing leading slash in the `:path` pseudo-header, exploiting a vulnerability in the gRPC-Go dependency, leading to unauthorized access if a fallback "allow" rule is configured.Traefik, a popular reverse proxy and load balancer, is susceptible to a denial rule bypass (CVE-2026-33186) due to a flaw in its gRPC-Go dependency. This vulnerability affects Traefik versions prior to 2.11.42, versions 3.0.0-beta3 through 3.6.11, and versions 3.7.0-ea.1 through 3.7.0-ea.3. An unauthenticated attacker can exploit this by sending gRPC requests with a malformed HTTP/2 :path pseudo-header that omits the leading slash (e.g., Service/Method instead of /Service/Method). While…

]]>highadvisorytraefikgrpcauthorization-bypasscve-2026-33186