{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/grpc/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["traefik","grpc","authorization-bypass","cve-2026-33186"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eTraefik, a popular reverse proxy and load balancer, is susceptible to a denial rule bypass (CVE-2026-33186) due to a flaw in its gRPC-Go dependency. This vulnerability affects Traefik versions prior to 2.11.42, versions 3.0.0-beta3 through 3.6.11, and versions 3.7.0-ea.1 through 3.7.0-ea.3. An unauthenticated attacker can exploit this by sending gRPC requests with a malformed HTTP/2 \u003ccode\u003e:path\u003c/code\u003e pseudo-header that omits the leading slash (e.g., \u003ccode\u003eService/Method\u003c/code\u003e instead of \u003ccode\u003e/Service/Method\u003c/code\u003e). While…\u003c/p\u003e\n","date_modified":"2026-03-29T15:37:47Z","date_published":"2026-03-29T15:37:47Z","id":"/briefs/2026-04-traefik-grpc-bypass/","summary":"A remote, unauthenticated attacker can bypass Traefik deny rules by sending malformed gRPC requests with a missing leading slash in the `:path` pseudo-header, exploiting a vulnerability in the gRPC-Go dependency, leading to unauthorized access if a fallback \"allow\" rule is configured.","title":"Traefik gRPC Deny Rule Bypass Vulnerability (CVE-2026-33186)","url":"https://feed.craftedsignal.io/briefs/2026-04-traefik-grpc-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Grpc","version":"https://jsonfeed.org/version/1.1"}