security: bump grpc to 1.79.3 (CVE-2026-33186)#17
Closed
kevinelliott wants to merge 1 commit intomainfrom
Closed
Conversation
Fixes CVE-2026-33186: gRPC-Go authorization bypass via missing leading slash in :path. Vulnerable range <1.79.3, patched in 1.79.3. Transitive bumps: - golang.org/x/net v0.47.0 -> v0.48.0 - golang.org/x/sync v0.18.0 -> v0.19.0 - golang.org/x/text v0.31.0 -> v0.32.0 - google.golang.org/genproto/googleapis/rpc (corresponding bump) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Updates Go module dependencies to remediate CVE-2026-33186 by bumping google.golang.org/grpc to a patched version, along with associated transitive dependency updates reflected in go.mod/go.sum.
Changes:
- Bump
google.golang.org/grpcfromv1.78.0→v1.79.3. - Update related dependencies (
golang.org/x/net,golang.org/x/sync,golang.org/x/text,genproto/googleapis/rpc) and refreshgo.sum.
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| go.mod | Updates required module versions for gRPC and related direct/indirect deps. |
| go.sum | Refreshes checksums for updated deps; also includes additional transitive changes. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
kevinelliott
added a commit
that referenced
this pull request
Apr 21, 2026
Promote the Unreleased section to 1.1.0 and capture everything landed since v1.0.24: the parallel version-check perf work (#16), the google.golang.org/grpc CVE-2026-33186 security bump (#17), the golangci-lint pinning (#18), and the shared detect+version-check pipeline refactor (#19). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Owner
Author
|
Commit already on main as 75fc1e0. Closing as stale. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Resolves Dependabot alert #1: CVE-2026-33186, a critical authorization bypass in gRPC-Go via missing leading slash in
:path.< 1.79.31.79.3Changes
google.golang.org/grpc:v1.78.0→v1.79.3x/net v0.48.0,x/sync v0.19.0,x/text v0.32.0,genproto/googleapis/rpccorresponding bumpTest plan
go build ./...cleango test ./pkg/api/grpc/... -racegreengo test ./... -race -shortgreen🤖 Generated with Claude Code