FIND-20260402-001 · 2026-04-02 · Innovation Veille

CVE-2026-33186: Traefik CRITICAL auth bypass via gRPC-Go path canonicalization — PATCHED in v3.6.11+

cve HIGH
CRITICAL (CVSS 9.3) auth bypass in Traefik's gRPC routing. Malformed :path without leading slash (e.g. Service/Method) bypasses deny rules in path-based authorization interceptors — the raw non-canonical path is evaluated, so deny rules on /Service/Method do not trigger. No authentication required, network-exploitable. Root cause: gRPC-Go v1.79.3 path canonicalization flaw. Fixed by upgrading gRPC dependency. ODS currently runs Traefik 3.6.12 which includes the fix (patched in 3.6.11). No immediate action required, but verify no gRPC services are exposed without explicit allow-listing.

Source

https://cvereports.com/reports/GHSA-46WH-3698-F2CX

ODS Impact

API Gateway (Traefik) is ODS's ingress point for all services. Any gRPC-based middleware or service (including Redpanda's Admin API if routed through Traefik) could have been bypassed prior to 3.6.11. ODS is currently on 3.6.12 — patch is in place. Verify all Traefik routers use explicit allow rules rather than relying solely on deny rules.

Security Review

License: N/A (CVE) | Maintenance: ACTIVE | Risk: LOW | Recommendation: SAFE_TO_USE

Tags

cve traefik critical grpc auth-bypass api-gateway patched
Generated by ODS Innovation Veille · 2026-04-02T00:13:31+00:00