Skip to main content

elixir-grpc CVE-2026-48599

HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-06-15 EEF
Authentication Bypass Grpc
7.6
CVSS 4.0 · Vendor: EEF
Share

Severity by source

Vendor (EEF) PRIMARY
7.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.8 MEDIUM

Network-exploitable by any authenticated user (PR:L), but AC:H reflects the need for a transcoded route whose path binding matches an authorization field; high C/I impact via IDOR, no availability impact.

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (EEF).

CVSS VectorVendor: EEF

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 15, 2026 - 22:52 vuln.today
Analysis Generated
Jun 15, 2026 - 22:52 vuln.today

DescriptionCVE.org

Authorization Bypass Through User-Controlled Key vulnerability in elixir-grpc grpc allows authenticated attackers to access or modify resources belonging to other users by smuggling a conflicting value for any path-bound field via the query string or request body.

In 'Elixir.GRPC.Server.Transcode':map_request/5 (lib/grpc/server/transcode.ex), all three clauses use Map.merge/2 with path bindings as the first argument, giving them the lowest merge precedence. A request such as GET /users/me/profile?user_id=victim (or a POST with {"user_id": "victim"} when body: "*") yields a decoded protobuf struct where the path-bound field carries the attacker-supplied value rather than the router-extracted value. Any handler that uses the path-bound field for authorization, multi-tenancy scoping, or ownership checks is silently bypassed.

This issue affects grpc from 0.8.0 before 1.0.0.

AnalysisAI

Authorization bypass in elixir-grpc (grpc library for Elixir) versions 0.8.0 through 0.x allows authenticated attackers to override path-bound URL parameters via query string or request body values, defeating ownership and multi-tenancy checks. The flaw stems from incorrect Map.merge/2 precedence in GRPC.Server.Transcode.map_request/5, where attacker-controlled query/body values silently overwrite the router-extracted path bindings used by handlers for authorization. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to transcoded gRPC API
Delivery
Identify route with authorization-relevant path binding
Exploit
Send request overriding bound field via query string or body
Execution
Transcoder merges attacker value over path binding
Persist
Handler authorizes against forged identifier
Impact
Read or modify victim resource
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The target service must use elixir-grpc's HTTP/JSON transcoding (google.api.http annotations producing path bindings) AND have at least one route whose path binding name matches an authorization-relevant protobuf field (e.g., user_id, tenant_id, org_id) AND have a handler that derives authorization, ownership, or multi-tenant scoping from that decoded field rather than from the authenticated session. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N (base 7.6) reflects network-exploitable, low-complexity, low-privilege access with high confidentiality and integrity impact and no availability impact - consistent with a horizontal privilege/IDOR bug rather than RCE. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated user of a multi-tenant Elixir API holding a valid session sends GET /users/me/profile?user_id=victim (or a POST with body {"user_id":"victim"} when the HttpRule body is '*'); transcoding overwrites the path-bound user_id='me' with 'victim', and the handler's ownership check - which reads user_id from the decoded struct - happily returns or modifies the victim's data. No exploit code is published, but the public commit diff and regression tests make the attack pattern self-evident.
Remediation Vendor-released patch: upgrade elixir-grpc 'grpc' to 1.0.0 or later, which reverses the Map.merge argument order so path bindings take precedence over query and body (commit 33b6a095dbc91c6dee3c7b90893d7d74952e82e4). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: inventory services running elixir-grpc 0.8.0 through current, prioritizing multi-tenant deployments. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-48599 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy