Authorization Bypass Vulnerability in elixir-grpc by Elixir
CVE-2026-48599

7.6HIGH

Key Information:

Vendor: Elixir-grpc
Status: Grpc
Vendor: CVE Published:; 15 June 2026

🔔 Create Elixir-grpc Vulnerability Alert

What is CVE-2026-48599?

An authorization bypass vulnerability present in the elixir-grpc framework allows authenticated attackers to manipulate requests and gain unauthorized access to resources of other users. By embedding a conflicting value in the path-bound fields via query strings or request bodies, an attacker can exploit the low merge precedence used in the server's request processing. This flaw occurs in the map_request function within the Elixir.GRPC.Server.Transcode module, permitting attackers to bypass essential authorization checks and potentially wield control over other users' data and operations.

Affected Version(s)

grpc 0.8.0 < 1.0.0

grpc 8aaf3d3a8c4c7b08ac65e9c6f254e0d24da1d048 < 33b6a095dbc91c6dee3c7b90893d7d74952e82e4

References

https://github.com/elixir-grpc/grpc/security/advisories/G...

vendor-advisoryrelated

https://cna.erlef.org/cves/CVE-2026-48599.html

https://osv.dev/vulnerability/EEF-CVE-2026-48599

CVSS V4

Score:

7.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 15, 2026
Vulnerability Reserved
May 22, 2026

Credit

Peter Ullrich

Paulo Valente

Jonatan Männchen

CVE-2026-48599 Data

JSON