There is a potential vulnerability in Traefik due to its dependency on an affected version of gRPC-Go (CVE-2026-33186).
A remote, unauthenticated attacker can send gRPC requests with a malformed HTTP/2 :path pseudo-header omitting the mandatory leading slash (e.g., Service/Method instead of /Service/Method). While the server routes such requests correctly, path-based authorization interceptors evaluate the raw non-canonical path and fail to match "deny" rules, allowing the request to bypass the policy entirely if a fallback "allow" rule is present.
If there are any questions or comments about this advisory, please open an issue.
<details> <summary>Original Description</summary>This CVE hits traefik until Version 3.6.11 and 2.11.41. gRPC-Go has an authorization bypass via missing leading slash in :path
As described in https://github.com/advisories/GHSA-p77j-4mvh-x3m3
Update library version in https://github.com/traefik/traefik/blob/67c64ed9b25fbb90f1086977a62827133a7aa01b/go.mod#L108
Is described in https://github.com/advisories/GHSA-p77j-4mvh-x3m3
</details>2.11.423.6.123.7.0-ea.3Exploitability
AV:NAC:LAT:NPR:NUI:NVulnerable System
VC:NVI:NVA:NSubsequent System
SC:HSI:HSA:N7.8/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N