PatchSiren cyber security CVE debrief
CVE-2026-48599 elixir-grpc CVE debrief
CVE-2026-48599 is an Authorization Bypass Through User-Controlled Key vulnerability in elixir-grpc grpc. This vulnerability allows authenticated attackers to access or modify resources belonging to other users by smuggling a conflicting value for any path-bound field via the query string or request body. The issue arises from the way 'Elixir.GRPC.Server.Transcode':map_request/5 (lib/grpc/server/transcode.ex) handles path bindings, giving them the lowest merge precedence. This results in a decoded protobuf struct where the path-bound field carries the attacker-supplied value rather than the router-extracted value, silently bypassing any handler that uses the path-bound field for authorization, multi-tenancy scoping, or ownership checks.
- Vendor
- elixir-grpc
- Product
- grpc
- CVSS
- HIGH 7.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-15
- Original CVE updated
- 2026-06-16
- Advisory published
- 2026-06-15
- Advisory updated
- 2026-06-16
Who should care
Users of elixir-grpc grpc from version 0.8.0 before 1.0.0 should be aware of this vulnerability and take necessary actions to mitigate it.
Technical summary
The vulnerability is caused by the use of Map.merge/2 with path bindings as the first argument in 'Elixir.GRPC.Server.Transcode':map_request/5 (lib/grpc/server/transcode.ex), giving them the lowest merge precedence. This allows an attacker to smuggle a conflicting value for any path-bound field via the query string or request body.
Defensive priority
HIGH
Recommended defensive actions
- Update elixir-grpc grpc to version 1.0.0 or later.
- Review and update handlers that use path-bound fields for authorization, multi-tenancy scoping, or ownership checks.
Evidence notes
The CVE record and details can be found at [cve-org]. More information is available at [nvd]. Additional references include [ref-4], [ref-5], [ref-6], and [ref-7].
Official resources
-
CVE-2026-48599 CVE record
CVE.org
-
CVE-2026-48599 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
6b3ad84c-e1a6-4bf7-a703-f496b71e49db
-
Source reference
6b3ad84c-e1a6-4bf7-a703-f496b71e49db
-
Source reference
6b3ad84c-e1a6-4bf7-a703-f496b71e49db
-
Source reference
6b3ad84c-e1a6-4bf7-a703-f496b71e49db
CVE-2026-48599 was published on 2026-06-15T23:16:45.377Z and has not been modified since then.