Home

Description

Authorization Bypass Through User-Controlled Key vulnerability in elixir-grpc grpc allows authenticated attackers to access or modify resources belonging to other users by smuggling a conflicting value for any path-bound field via the query string or request body. In 'Elixir.GRPC.Server.Transcode':map_request/5 (lib/grpc/server/transcode.ex), all three clauses use Map.merge/2 with path bindings as the first argument, giving them the lowest merge precedence. A request such as GET /users/me/profile?user_id=victim (or a POST with {"user_id": "victim"} when body: "*") yields a decoded protobuf struct where the path-bound field carries the attacker-supplied value rather than the router-extracted value. Any handler that uses the path-bound field for authorization, multi-tenancy scoping, or ownership checks is silently bypassed. This issue affects grpc from 0.8.0 before 1.0.0.

PUBLISHED Reserved 2026-05-22 | Published 2026-06-15 | Updated 2026-06-17 | Assigner EEF




HIGH: 7.6CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-639 Authorization Bypass Through User-Controlled Key

Product status

Default status
unaffected

0.8.0 (semver) before 1.0.0
affected

Default status
unaffected

8aaf3d3a8c4c7b08ac65e9c6f254e0d24da1d048 (git) before 33b6a095dbc91c6dee3c7b90893d7d74952e82e4
affected

Credits

Peter Ullrich finder

Paulo Valente remediation developer

Jonatan Männchen analyst

References

github.com/...c/grpc/security/advisories/GHSA-mwr4-5g34-j5cq exploit

github.com/...c/grpc/security/advisories/GHSA-mwr4-5g34-j5cq vendor-advisory related

cna.erlef.org/cves/CVE-2026-48599.html related

osv.dev/vulnerability/EEF-CVE-2026-48599 related

github.com/...ommit/33b6a095dbc91c6dee3c7b90893d7d74952e82e4 patch

cve.org (CVE-2026-48599)

nvd.nist.gov (CVE-2026-48599)

Download JSON