Critical Authorization Bypass (RBAC/Ext_Authz)
Target:
[REDACTED] Edge & Service Proxy
Vulnerability Class:
Authorization Bypass via HTTP/2 Path Normalization
CVE ID:
CVE-2026-XXXX
Discovered:
February 25, 2026
Executive Summary
Executive Summary
A critical authorization bypass vulnerability exists in [REDACTED] Edge & Service Proxy’s RBAC and external authorization modules due to improper HTTP/2 path normalization.
Technical Details
The vulnerability allows attackers to bypass authorization policies through path normalization tricks (e.g., //, /.), gaining unauthorized access to protected endpoints.
OPSEC Note
Full technical details are embargoed until vendor patches are publicly available.
Impact Assessment
HTTP/2 path normalization failure enables authorization bypass in RBAC and external authorization modules, allowing unauthorized access to protected resources.
Disclosure Timeline
- February 25, 2026: Vulnerability discovered
- March 01, 2026: Vendor notification
- March 20, 2026: Vendor acknowledged
- April 07, 2026: Patch status: Under development