The bug is the kind that makes you sigh: a missing leading slash. gRPC-Go's server happily routed HTTP/2 requests whose :path lacked the canonical leading slash, but the authorization interceptor evaluated that raw, non-canonical path instead of the routed one. A "deny" rule scoped to the canonical path therefore never matched, and if a fallback "allow" rule existed, the request sailed through. The CVE-2026-33186 disclosure rates it CVSS 9.1, and upstream fixed it in gRPC-Go 1.79.3. May 28 is when that fix reaches Red Hat's edge Kubernetes distribution: RHSA-2026:20436 (Important) ships MicroShift 4.16.63 for RHEL edge devices carrying the patched gRPC. Anyone running MicroShift 4.16 whose services lean on gRPC authz interceptors is sitting on this exposure until the errata is applied. The sources do not report in-the-wild exploitation, so this is a schedule-it rather than a drop-everything, but the CVSS and the trivial trigger argue against letting it linger.