CVE-2026-32136: Go H2c Newhandler Outside Auth Middleware
The handler passed to h2c.NewHandler does not include authentication middleware: the auth middleware is wrapped around the result of h2c.NewHandler instead of around its input. When a client performs an HTTP/2 cleartext (h2c) upgrade, the h2c handler hijacks the TCP connection and dispatches all subsequent HTTP/2 requests through the inner handler captured a
greprules fetch cve-2026-32136-go-h2c-newhandler-outside-auth-middleware --engine opengrepDescription
The handler passed to h2c.NewHandler does not include authentication middleware: the auth middleware is wrapped around the result of h2c.NewHandler instead of around its input. When a client performs an HTTP/2 cleartext (h2c) upgrade, the h2c handler hijacks the TCP connection and dispatches all subsequent HTTP/2 requests through the inner handler captured a
Detection target
Not provided
Recommended fix
Not provided
False-positive notes
Not provided
Community feedback
Sign in to report false positives, mark this rule useful, or suggest metadata improvements.