{"@context":"https://openvex.dev/ns/v0.2.0","@id":"https://database.harborguard.co/cve/CVE-2026-48599/vex.json","author":"HarborGuard Database","role":"Document Creator","timestamp":"2026-06-15T21:55:28.702Z","version":1,"tooling":"HarborGuard Database (https://database.harborguard.co)","statements":[{"vulnerability":{"name":"CVE-2026-48599","@id":"https://www.cve.org/CVERecord?id=CVE-2026-48599","description":"Authorization Bypass Through User-Controlled Key vulnerability in elixir-grpc grpc allows authenticated attackers to access or modify resources belonging to other users by smuggling a conflicting value for any path-bound field via the query string or request body.\n\nIn 'Elixir.GRPC.Server.Transcode':map_request/5 (lib/grpc/server/transcode.ex), all three clauses use Map.merge/2 with path bindings as the first argument, giving them the lowest merge precedence. A request such as GET /users/me/profi"},"products":[{"@id":"cpe:2.3:a:elixir-grpc:grpc:*:*:*:*:*:*:*:*","identifiers":{"cpe23":"cpe:2.3:a:elixir-grpc:grpc:*:*:*:*:*:*:*:*"}}],"status":"affected","action_statement":"Update to a fixed version: 1.0.0, 33b6a095dbc91c6dee3c7b90893d7d74952e82e4.","timestamp":"2026-06-15T21:55:28.702Z"}]}