FIND-20260408-003 · 2026-04-08 · Innovation Veille

CVE-2026-33186 — Traefik gRPC authorization bypass (CVSS 7.8, patched)

cve HIGH
CVE-2026-33186 is a critical authorization bypass in Traefik caused by its gRPC-Go dependency. An unauthenticated attacker can send gRPC requests with a malformed HTTP/2 :path pseudo-header (omitting the leading slash, e.g. Service/Method instead of /Service/Method). Path-based deny rules fail to match the raw non-canonical path, allowing the request to bypass authorization if a fallback allow rule exists. CVSS v4.0: 7.8 (High). Affects Traefik <=3.6.11 and <=2.11.41. Patched in v3.6.12 (released ~April 6, 2026). ODS last-versions.json shows traefik=3.6.12, so ODS is already protected. Verify Coolify-managed Traefik version matches.

Source

https://github.com/traefik/traefik/security/advisories/GHSA-46wh-3698-f2cx

ODS Impact

API Gateway (Traefik) — all ODS service endpoints traverse Traefik. If ODS uses gRPC-based services or path-based deny rules, this CVE was exploitable before upgrading to 3.6.12. Redpanda and ClickHouse expose gRPC endpoints internally. Verify the Coolify Traefik instance is on 3.6.12+.

Security Review

License: MIT | Maintenance: ACTIVE | Risk: LOW | Recommendation: SAFE_TO_USE

Tags

cve traefik grpc authorization-bypass security infrastructure patched
Generated by ODS Innovation Veille · 2026-04-08T02:43:07+00:00