FIND-20260406-001 · 2026-04-06 · Innovation Veille

CVE-2026-33186 — Traefik gRPC Authorization Bypass (CRITICAL, CVSS 9.3)

cve HIGH
Critical authorization bypass in Traefik (CVSS 9.3) via malformed gRPC :path pseudo-header missing leading slash. Unauthenticated remote attackers can bypass deny rules and access restricted gRPC endpoints. Fixed in Traefik 3.6.11 and 2.11.41. ODS current version is 3.6.12 — PATCHED. Verify deployment is running the patched image.

Source

https://github.com/traefik/traefik/security/advisories/GHSA-46wh-3698-f2cx

ODS Impact

Traefik is the ODS API Gateway routing all inter-service traffic. This CVE would allow unauthenticated access to internal APIs if running an unpatched version. Confirm srv-staging and srv-agents are running Traefik 3.6.12 or later. No code changes required; infrastructure upgrade only.

Security Review

License: MIT | Maintenance: ACTIVE | Risk: LOW | Recommendation: USE_WITH_CAUTION

Tags

traefik cve critical authorization-bypass grpc api-gateway patched
Generated by ODS Innovation Veille · 2026-04-06T03:19:34+00:00