CVE-2026-48599
HighCVSS 7.6Exploitation Probability (EPSS)
Low risk19th percentile - higher than 19% of all known CVEs
Summary
A vulnerability in elixir-grpc allows authenticated attackers to access resources belonging to other users by manipulating values in requests. This enables them to bypass authorization mechanisms, leading to unauthorized access or modification of data.
Risk Assessment
Organizations may face serious data breaches as attackers can access sensitive information or alter other users' resources. This could result in loss of customer trust and potential legal consequences.
Recommendation
It is recommended to update elixir-grpc to version 1.0.0 or later to mitigate this vulnerability. Additionally, it is advisable to review and strengthen authorization mechanisms within the application.
Original NVD description (English source)
Authorization Bypass Through User-Controlled Key vulnerability in elixir-grpc grpc allows authenticated attackers to access or modify resources belonging to other users by smuggling a conflicting value for any path-bound field via the query string or request body. In 'Elixir.GRPC.Server.Transcode':map_request/5 (lib/grpc/server/transcode.ex), all three clauses use Map.merge/2 with path bindings as the first argument, giving them the lowest merge precedence. A request such as GET /users/me/profile?user_id=victim (or a POST with {"user_id": "victim"} when body: "*") yields a decoded protobuf struct where the path-bound field carries the attacker-supplied value rather than the router-extracted value. Any handler that uses the path-bound field for authorization, multi-tenancy scoping, or ownership checks is silently bypassed. This issue affects grpc from 0.8.0 before 1.0.0.

