HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-48599Published Modified CNA EEF

CVE-2026-48599: Authorization bypass via path binding override in elixir-grpc/grpc HTTP transcoding

Authorization Bypass Through User-Controlled Key vulnerability in elixir-grpc grpc allows authenticated attackers to access or modify resources belonging to other users by smuggling a conflicting value for any path-bound field via the query string or request body. In 'Elixir.GRPC.Server.Transcode':map_request/5 (lib/grpc/server/transcode.ex), all three clauses use Map.merge/2 with path bindings as the first argument, giving them the lowest merge precedence. A request such as GET /users/me/profile?user_id=victim (or a POST with {"user_id": "victim"} when body: "*") yields a decoded protobuf struct where the path-bound field carries the attacker-supplied value rather than the router-extracted value. Any handler that uses the path-bound field for authorization, multi-tenancy scoping, or ownership checks is silently bypassed. This issue affects grpc from 0.8.0 before 1.0.0.

Metrics

CVSS v4.0
7.6
Severity
HIGH
Fixed in
1.0.0
Affected Products
2

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An authorization bypass vulnerability affects the elixir-grpc/grpc library (versions 0.8.0 through 1.0.0) during HTTP transcoding. An authenticated attacker can smuggle a conflicting value for a path-bound field through the query string or request body, causing the transcoding layer to substitute the attacker-supplied value for the router-extracted one. This allows the attacker to read or modify resources belonging to other users, bypassing any authorization, multi-tenancy scoping, or ownership checks that rely on the path-bound field. A patched-image rebuild at version 1.0.0 (or commit 33b6a095dbc91c6dee3c7b90893d7d74952e82e4) is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-48599 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all container images in customer registries and CI pipelines, including custom-built images that bundle the elixir-grpc/grpc library.

Available
Triage

HarborGuard is capable of scoring this CVE at 7.6 HIGH (CVSS v4.0) and weighting it against each customer environment's compliance policy to determine urgency and routing. Triage findings are surfaced to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

A patched-image rebuild at version 1.0.0 (or the equivalent commit 33b6a095dbc91c6dee3c7b90893d7d74952e82e4) becomes available on HarborGuard for any image found to include an affected version of elixir-grpc/grpc. For customers who opt into auto-remediation, HarborGuard will rebuild the image, run a regression test suite, and open a pull request against the affected workload automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the gRPC HTTP transcoding endpoint over the network; the service must be exposed to the attacker's network.

  • AuthenticationRequired

    A low-privilege authenticated account is sufficient; the attacker must hold valid credentials but does not need administrative access.

  • Victim interactionNot required

    No victim interaction is needed; the attacker sends a crafted request directly without involving any other user.

  • Attack complexityDetail

    Base exploit mechanics are reliable and condition-free, though the CVSS vector notes an attack requirement (AT:P) indicating that specific deployment conditions, such as the handler using the path-bound field for authorization checks, must be present for the bypass to be effective.

Blast Radius

  • Reads resources belonging to arbitrary other users by substituting their identifier into path-bound authorization fields (e.g., fetching another user's profile or private data).
  • Modifies resources belonging to arbitrary other users by overriding ownership identifiers in write operations that rely on path-bound fields for scoping.
  • Multi-tenancy boundaries and ownership checks in any gRPC handler using HTTP transcoding are silently bypassed without any error or log entry at the transcoding layer.
  • Service availability is not affected; the vulnerability is limited to unauthorized data access and tampering.

How HarborGuard Handles This

Available on HarborGuard: scanning for CVE-2026-48599 is active across all connected registries and pipelines for images containing elixir-grpc/grpc versions 0.8.0 through 1.0.0. Where a fix version is confirmed (1.0.0 or commit 33b6a095dbc91c6dee3c7b90893d7d74952e82e4), HarborGuard can produce a rebuilt image pinned to the patched release. For customers who opt into auto-remediation, the typical flow is: rebuilt image available, regression tests executed, and a pull request opened against affected workloads; for HIGH-severity issues, median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. For customers not yet on auto-remediation, HarborGuard flags affected images in the dashboard and surfaces the fix version as the recommended remediation path. As a compensating control while patching is underway, network policy rules that restrict access to gRPC transcoding endpoints to only trusted and authenticated callers reduce the exposure window.

See how HarborGuard automates this

Fix available

1.0.033b6a095dbc91c6dee3c7b90893d7d74952e82e4
Patch commits
Affected packages
  • elixir-grpc / grpc
    < 1.0.0 (from 0.8.0)
  • elixir-grpc / grpc
    < 33b6a095dbc91c6dee3c7b90893d7d74952e82e4 (from 8aaf3d3a8c4c7b08ac65e9c6f254e0d24da1d048)
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
References