A security researcher found that adding a trailing slash to AWS HTTP API paths bypassed Lambda authorizer authentication entirely, enabling unauthenticated wire transfers at a fintech. The root cause is a path normalization mismatch between HTTP API's greedy route matching and its authorization layer. The same vulnerability class appeared in gRPC-Go via CVE-2026-33186. By Steef-Jan Wiggers
This vulnerability is part of an ongoing trend where complex cloud service architectures introduce new attack vectors, with discovery often lagging behind adoption.
Sophisticated readers should care because cloud security, particularly around authentication and authorization in serverless architectures, remains a critical and evolving challenge impacting enterprise-level application safety.
This discovery forces a re-evaluation of fundamental assumptions about API gateway security, highlighting the need for granular path normalization consistency across different layers of cloud infrastructure.
- · Security researchers
- · Cloud security vendors
- · Organizations with robust security auditing
- · AWS (reputation)
- · Cloud-native fintechs (risk exposure)
- · Organizations relying solely on API Gateway for auth
AWS will likely issue guidance and patches to address the specific path normalization issue in API Gateway.
Organizations may increase investment in multi-layered security and pre-production security testing for cloud deployments.
The incident could contribute to a broader industry shift towards more declarative and verifiable security policies within cloud infrastructure as code.
This signal links to a primary source. Continuum Brief monitors and indexes it as part of the live intelligence stream — we do not republish source content.
Read at InfoQ