CVE-2026-48599
Deferred Deferred - Pending Action

Authorization Bypass in Elixir GRPC via Path-Bound Field Manipulation

Vulnerability report for CVE-2026-48599, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-15

Last updated on: 2026-06-16

Assigner: EEF

Description

Authorization Bypass Through User-Controlled Key vulnerability in elixir-grpc grpc allows authenticated attackers to access or modify resources belonging to other users by smuggling a conflicting value for any path-bound field via the query string or request body. In 'Elixir.GRPC.Server.Transcode':map_request/5 (lib/grpc/server/transcode.ex), all three clauses use Map.merge/2 with path bindings as the first argument, giving them the lowest merge precedence. A request such as GET /users/me/profile?user_id=victim (or a POST with {"user_id": "victim"} when body: "*") yields a decoded protobuf struct where the path-bound field carries the attacker-supplied value rather than the router-extracted value. Any handler that uses the path-bound field for authorization, multi-tenancy scoping, or ownership checks is silently bypassed. This issue affects grpc from 0.8.0 before 1.0.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-15
Last Modified
2026-06-16
Generated
2026-07-06
AI Q&A
2026-06-16
EPSS Evaluated
2026-07-04
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
elixir_grpc grpc From 0.8.0 (inc) to 1.0.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This vulnerability allows authenticated attackers to bypass authorization checks and access or modify resources belonging to other users by manipulating path-bound fields. Such unauthorized access to user data can lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls over personal and sensitive information.

Because the vulnerability enables unauthorized data access and modification, it undermines the confidentiality and integrity requirements mandated by these standards, potentially resulting in non-compliance and associated legal or regulatory consequences.

Executive Summary

This vulnerability is an Authorization Bypass Through User-Controlled Key issue in the elixir-grpc grpc library. Authenticated attackers can exploit it by sending a conflicting value for any path-bound field via the query string or request body. Due to the way the server merges path bindings with user-supplied data, the attacker-supplied value can override the intended path-bound value.

Specifically, in the Elixir.GRPC.Server.Transcode module, the use of Map.merge/2 with path bindings as the first argument causes the attacker-controlled data to take precedence. This allows attackers to bypass authorization, multi-tenancy scoping, or ownership checks that rely on these path-bound fields.

Impact Analysis

This vulnerability can allow an authenticated attacker to access or modify resources that belong to other users without proper authorization. This means sensitive data or functionality intended only for certain users could be exposed or altered by unauthorized parties.

Such unauthorized access can lead to data breaches, loss of data integrity, and potential compromise of user privacy or system security.

Detection Guidance

This vulnerability can be detected by monitoring HTTP requests that include query string or request body parameters which override path-bound fields, such as user identifiers. For example, requests like GET /users/me/profile?user_id=victim indicate an attempt to manipulate path parameters.

To detect such attempts on your system, you can inspect HTTP logs or use network monitoring tools to filter requests where query parameters or body fields conflict with path parameters.

Suggested commands include using tools like curl or tcpdump to capture and analyze traffic, and grep or jq to search logs for suspicious query strings or body content overriding path parameters.

  • Use curl to simulate suspicious requests: curl -v "http://yourserver/users/me/profile?user_id=victim"
  • Use grep to search server logs for query parameters overriding path fields: grep -E "user_id=" /var/log/yourapp/access.log
  • Use tcpdump or Wireshark to capture HTTP traffic and filter for requests with query strings or bodies containing conflicting user IDs.
Mitigation Strategies

Immediate mitigation steps include disabling HTTP-to-gRPC transcoding if it is enabled, as the vulnerability is exploitable only when this feature is active.

If disabling transcoding is not feasible, carefully audit and modify your authorization logic to ensure that path-bound fields cannot be overridden by query string or request body parameters.

Monitor and block suspicious requests that attempt to override path parameters by filtering or rate-limiting such traffic.

Apply the patch from commit 33b6a095dbc91c6dee3c7b90893d7d74952e82e4 once it is available in your version of the grpc library, which fixes the merge precedence issue.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48599. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart