FIND-20260401-002 · 2026-04-01 · Innovation Veille

CVE-2026-33186 — Traefik CRITICAL Authorization Bypass via malformed gRPC path (PATCH to v3.6.12)

cve HIGH
CRITICAL CVE in Traefik affecting versions < 3.6.11 and < 2.11.41. A remote unauthenticated attacker can bypass path-based authorization by sending gRPC requests with malformed HTTP/2 :path headers (omitting the leading slash). The interceptor fails to match deny rules, allowing full policy bypass if a fallback allow rule exists. Fixed in Traefik 3.6.12, 2.11.42, and 3.7.0-ea.3 (released 2026-03-26). Also note CVE-2026-33433 (MEDIUM): authentication spoofing via non-canonical headerField configuration.

Source

https://github.com/traefik/traefik/security/advisories/GHSA-46wh-3698-f2cx

ODS Impact

ODS API Gateway uses Traefik as the ingress proxy. If ODS Traefik version is below 3.6.12 or 2.11.42, all path-based authorization rules protecting microservices (oid, docstore, pdf-engine, etc.) could be bypassed by an unauthenticated attacker via malformed gRPC paths. Upgrade to 3.6.12 immediately. Also verify headerField configs are canonical (X-Auth-User not x-auth-user) to close CVE-2026-33433.

Security Review

License: MIT | Maintenance: ACTIVE | Risk: LOW | Recommendation: USE_WITH_CAUTION

Tags

traefik cve critical authorization-bypass grpc api-gateway security
Generated by ODS Innovation Veille · 2026-04-01T01:51:35+00:00