A Trailing Slash Bypassed AWS API Gateway Authorization
📰 InfoQ AI/ML
A trailing slash in AWS API Gateway HTTP paths can bypass Lambda authorizer authentication, allowing unauthorized access, and this vulnerability is also present in gRPC-Go
Action Steps
- Test your AWS API Gateway HTTP paths for vulnerability by adding a trailing slash
- Configure your API Gateway to normalize paths before authorization
- Apply a patch or update to fix the vulnerability in gRPC-Go via CVE-2026-331
- Run a security audit on your API Gateway and gRPC-Go applications to identify potential vulnerabilities
- Compare your API Gateway configuration with the recommended security best practices
Who Needs to Know This
Security and DevOps teams should be aware of this vulnerability to protect their AWS API Gateway and gRPC-Go applications from unauthorized access
Key Insight
💡 Path normalization mismatch between HTTP API's greedy route matching and its authorization layer can lead to security vulnerabilities
Share This
🚨 Trailing slash vulnerability in AWS API Gateway and gRPC-Go allows unauthorized access! 🚨
Key Takeaways
A trailing slash in AWS API Gateway HTTP paths can bypass Lambda authorizer authentication, allowing unauthorized access, and this vulnerability is also present in gRPC-Go
Full Article
A security researcher found that adding a trailing slash to AWS HTTP API paths bypassed Lambda authorizer authentication entirely, enabling unauthenticated wire transfers at a fintech. The root cause is a path normalization mismatch between HTTP API's greedy route matching and its authorization layer. The same vulnerability class appeared in gRPC-Go via CVE-2026-331
DeepCamp AI