CVE-2026-48599
Received Received - Intake
BaseFortify

Publication date: 2026-06-15

Last updated on: 2026-06-15

Assigner: EEF

Description
Authorization Bypass Through User-Controlled Key vulnerability in elixir-grpc grpc allows authenticated attackers to access or modify resources belonging to other users by smuggling a conflicting value for any path-bound field via the query string or request body. In 'Elixir.GRPC.Server.Transcode':map_request/5 (lib/grpc/server/transcode.ex), all three clauses use Map.merge/2 with path bindings as the first argument, giving them the lowest merge precedence. A request such as GET /users/me/profile?user_id=victim (or a POST with {"user_id": "victim"} when body: "*") yields a decoded protobuf struct where the path-bound field carries the attacker-supplied value rather than the router-extracted value. Any handler that uses the path-bound field for authorization, multi-tenancy scoping, or ownership checks is silently bypassed. This issue affects grpc from 0.8.0 before 1.0.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-15
Last Modified
2026-06-15
Generated
2026-06-16
AI Q&A
2026-06-16
EPSS Evaluated
N/A
NVD
CVE-2026-48599
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
elixir_grpc grpc From 0.8.0 (inc) to 1.0.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an Authorization Bypass Through User-Controlled Key issue in the elixir-grpc grpc library. Authenticated attackers can exploit it by sending a conflicting value for any path-bound field via the query string or request body. Due to the way the server merges path bindings with user-supplied data, the attacker-supplied value can override the intended path-bound value.

Specifically, in the Elixir.GRPC.Server.Transcode module, the use of Map.merge/2 with path bindings as the first argument causes the attacker-controlled data to take precedence. This allows attackers to bypass authorization, multi-tenancy scoping, or ownership checks that rely on these path-bound fields.

Impact Analysis

This vulnerability can allow an authenticated attacker to access or modify resources that belong to other users without proper authorization. This means sensitive data or functionality intended only for certain users could be exposed or altered by unauthorized parties.

Such unauthorized access can lead to data breaches, loss of data integrity, and potential compromise of user privacy or system security.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48599. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart