FIND-20260404-011 · 2026-04-04 · Innovation Veille

CVE-2026-33186: Traefik CRITICAL Auth Bypass via gRPC-Go Path Canonicalization — PATCHED in v3.6.12

cve HIGH
CVE-2026-33186 is a CRITICAL (CVSS 9.3) authorization bypass in Traefik caused by a flaw in the gRPC-Go dependency. A remote unauthenticated attacker can send gRPC requests with a malformed HTTP/2 :path pseudo-header that omits the leading slash (e.g., Service/Method instead of /Service/Method). The gRPC-Go server routes the request correctly but path-based authorization interceptors fail to match deny rules against the non-canonical path, allowing bypass of any fallback allow policy. Fixed in Traefik v3.6.12 (bumps grpc to v1.79.3) and v2.11.42. ODS currently runs v3.6.12 per last-versions.json — verify deployment matches this version.

Source

https://github.com/traefik/traefik/security/advisories/GHSA-46wh-3698-f2cx

ODS Impact

Traefik is the ODS API Gateway. Any gRPC services exposed through Traefik (Redpanda, ClickHouse, internal M2M gRPC) may be bypassed if Traefik is not updated to v3.6.12+. ODS last-versions.json records v3.6.12 as current; however, verify the deployed Coolify Traefik instance is actually running v3.6.12 and not an older pinned version. Run: docker inspect traefik | grep Image.

Security Review

License: MIT | Maintenance: ACTIVE | Risk: LOW | Recommendation: USE_WITH_CAUTION

Tags

traefik cve critical grpc auth-bypass api-gateway urgent
Generated by ODS Innovation Veille · 2026-04-04T17:32:15+00:00