Skip to content

fix(deps): bump google.golang.org/grpc to v1.79.3 (CVE-2026-33186)#20

Merged
bschimke95 merged 1 commit into
mainfrom
fix/security-cve-2026-33186-grpc
Apr 2, 2026
Merged

fix(deps): bump google.golang.org/grpc to v1.79.3 (CVE-2026-33186)#20
bschimke95 merged 1 commit into
mainfrom
fix/security-cve-2026-33186-grpc

Conversation

@bschimke95

@bschimke95 bschimke95 commented Apr 2, 2026

Copy link
Copy Markdown
Collaborator

Summary

CVE-2026-33186 - gRPC-Go authorization bypass

gRPC-Go v1.79.1 and earlier have an authorization bypass where malformed :path headers (missing the leading slash) could bypass path-based restricted "deny" rules in interceptors like grpc/authz. v1.79.3 rejects any request with a non-canonical path with an Unimplemented error.

Severity: Critical
Reference: grpc/grpc-go#8981

Dependabot Alert Triage

Alert CVE Severity Action
#9 CVE-2026-33186 Critical Fixed by this PR (grpc bump)
#10, #8, #6, #5, #4, #3, #2, #1 Various High/Medium Dismissed as inaccurate - manifests k8s/go.mod and k8s/tools/go.mod do not exist in this repo
#11 CVE-2026-33634 Critical Already fixed (trivy-action)
#7 CVE-2026-3351 Medium Already fixed (lxd already at patched version)

@bschimke95
fix(deps): bump google.golang.org/grpc to v1.79.3 (CVE-2026-33186)
856e339 
gRPC-Go v1.79.1 and earlier have an authorization bypass where malformed
:path headers (missing the leading slash) could bypass path-based
restricted "deny" rules in interceptors like grpc/authz. v1.79.3
rejects any request with a non-canonical path with an Unimplemented
error.

Severity: Critical
Ref: grpc/grpc-go#8981
Copilot AI review requested due to automatic review settings April 2, 2026 09:28
@bschimke95 bschimke95 mentioned this pull request Apr 2, 2026
Closed
Copilot AI reviewed Apr 2, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the project’s Go module dependencies to incorporate a patched gRPC-Go release that fixes a critical authorization bypass (CVE-2026-33186).

Changes:

  • Bump google.golang.org/grpc from v1.79.1 to v1.79.3 in go.mod.
  • Refresh go.sum checksums to reflect the updated gRPC-Go version.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File Description
go.mod Updates the indirect gRPC-Go requirement to v1.79.3 to pick up the security fix.
go.sum Updates checksum entries for google.golang.org/grpc v1.79.3 to match the module change.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@bschimke95 bschimke95 merged commit 079caf4 into main Apr 2, 2026
9 checks passed
@bschimke95 bschimke95 deleted the fix/security-cve-2026-33186-grpc branch April 2, 2026 10:02
ktsakalozos-canonical pushed a commit that referenced this pull request May 28, 2026
@bschimke95 @ktsakalozos
fix(deps): bump google.golang.org/grpc to v1.79.3 (CVE-2026-33186) (#20)
f02cfc6 
gRPC-Go v1.79.1 and earlier have an authorization bypass where malformed
:path headers (missing the leading slash) could bypass path-based
restricted "deny" rules in interceptors like grpc/authz. v1.79.3
rejects any request with a non-canonical path with an Unimplemented
error.

Severity: Critical
Ref: grpc/grpc-go#8981
@louiseschmidtgen louiseschmidtgen mentioned this pull request Jun 2, 2026
Open
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bschimke95