⌘K

All Posts

EngineeringGoLang SecurityCVEAuthorization Bypassgrpc-go

CVE-2026-33186: Bypassing gRPC-Go Authorization with a Missing Slash

CVE-2026-33186 - A path normalization flaw in grpc-go v1.79.2 and earlier allows attackers to bypass path-based authorization interceptors by omitting the leading slash in the HTTP/2 :path pseudo-header. Both custom interceptors and the official grpc/authz policy engine are affected.

@app.route('/search')

def search():

q = request.args.get('q')

result = query(q)

return jsonify(result)

code-pathfinderbotCRITICALSQL Injection: request.args → cursor.execute()3 files

EngineeringDataflow AnalysisTaint AnalysisSecuritySASTPython SDKEngineeringCross-File Analysis

Cross-File Dataflow Analysis: Taint Tracking Across Your Entire Project

Code Pathfinder v2.0 ships inter-procedural taint analysis that traces vulnerable data flows across files, functions, and module boundaries. Here's how it works and how to write your first flow analysis rule.

Shivasurya

•March 17, 2026