https://cybercrime.club/tags/microservices/Recent content in Microservices on cybercrime.clubHugoen-usFri, 03 Apr 2026 22:37:28 -0400https://cybercrime.club/posts/grpc-go-cve-2026-33186-auth-bypass/Fri, 03 Apr 2026 22:37:28 -0400https://cybercrime.club/posts/grpc-go-cve-2026-33186-auth-bypass/<p>A subtle path normalization flaw in gRPC-Go — tracked as CVE-2026-33186 — lets remote, unauthenticated attackers completely bypass authorization rules on any Go service that uses path-based access control. The bug rates CVSS 9.1. If your Go microservices speak gRPC and you use the official <code>grpc/authz</code> package or custom interceptors based on <code>info.FullMethod</code>, you need to patch now.</p> <h2 id="what-happened">What Happened</h2> <p>On March 20, 2026, the gRPC-Go team disclosed a critical authorization bypass (GHSA-p77j-4mvh-x3m3) affecting all versions of <code>google.golang.org/grpc</code> before <strong>v1.79.3</strong>.</p>