Skip to content

[Aikido] Fix 3 critical issues in jackc/pgx/v5, google.golang.org/grpc and 9 other issues#13

Closed
aikido-autofix[bot] wants to merge 1 commit into
mainfrom
fix/aikido-security-update-packages-38430617-jmnn
Closed

[Aikido] Fix 3 critical issues in jackc/pgx/v5, google.golang.org/grpc and 9 other issues#13
aikido-autofix[bot] wants to merge 1 commit into
mainfrom
fix/aikido-security-update-packages-38430617-jmnn

Conversation

@aikido-autofix

Copy link
Copy Markdown

Upgrade dependencies to fix critical memory-safety vulnerability in pgx, SQL injection via dollar-quoted strings, and gRPC authorization bypass via malformed HTTP/2 paths.

✅ 12 CVEs resolved by this upgrade, including 3 critical 🚨 CVEs

This PR will resolve the following CVEs:

Issue Severity           Description
CVE-2026-33816
🚨 CRITICAL
[github.com/jackc/pgx/v5] Memory-safety vulnerability in github.com/jackc/pgx/v5.
CVE-2026-41889
🚨 CRITICAL
[github.com/jackc/pgx/v5] SQL injection vulnerability exists when using the non-default simple protocol with dollar-quoted string literals containing attacker-controllable placeholder-like text. This allows remote code execution through malicious SQL injection.
CVE-2026-33186
🚨 CRITICAL
[google.golang.org/grpc] Improper HTTP/2 :path validation allows requests without leading slashes to bypass path-based authorization interceptors, enabling attackers to circumvent "deny" rules and access restricted gRPC methods. This authorization bypass affects servers using path-based RBAC policies with fallback "allow" rules.
GHSA-q382-vc8q-7jhj
HIGH
[github.com/modelcontextprotocol/go-sdk] The JSON parser treated keys with null Unicode characters as equivalent to base strings, allowing duplicate keys to override intended MCP messages and bypass intermediary inspection. This created cross-implementation inconsistency with other SDKs that use case-sensitive parsing, potentially enabling security-boundary confusion.
CVE-2026-34742
HIGH
[github.com/modelcontextprotocol/go-sdk] The MCP Go SDK lacks DNS rebinding protection by default on HTTP-based localhost servers without authentication, allowing malicious websites to bypass same-origin policy and invoke tools or access resources. This enables attackers to perform unauthorized actions on behalf of users in affected deployments.
CVE-2026-27896
HIGH
[github.com/modelcontextprotocol/go-sdk] The SDK's JSON parsing was case-insensitive, violating JSON-RPC 2.0 specification and allowing malicious peers to send protocol messages with non-standard field casing that bypass intermediary inspection. This has been fixed with case-sensitive JSON decoding.
CVE-2026-33252
MEDIUM
[github.com/modelcontextprotocol/go-sdk] The Streamable HTTP transport fails to validate the Origin header and Content-Type on POST requests, allowing cross-site requests to trigger MCP operations. In deployments without authorization, this enables arbitrary websites to execute tools on a local server via CSRF attacks.
CVE-2026-33997
HIGH
[github.com/docker/docker] A privilege validation bypass in plugin installation allows the daemon to incorrectly accept unapproved privilege sets due to flawed comparison logic, enabling plugins to gain unintended elevated permissions.
CVE-2026-34040
HIGH
[github.com/docker/docker] Moby is an open source container framework. Prior to version 29.3.1, a security vulnerability has been detected that allows attackers to bypass authorization plugins (AuthZ). This issue has been patched in version 29.3.1.
CVE-2026-29181
HIGH
[go.opentelemetry.io/otel] Baggage header extraction parses multiple header values independently and aggregates them, allowing attackers to amplify CPU and memory usage by sending many baggage headers despite per-value size limits. This results in a denial-of-service vulnerability through resource exhaustion.
CVE-2026-24051
HIGH
[go.opentelemetry.io/otel/sdk] Path hijacking vulnerability in resource detection code allows local attackers to execute arbitrary code by manipulating the PATH environment variable on macOS systems.
CVE-2026-39883
HIGH
[go.opentelemetry.io/otel/sdk] A PATH hijacking vulnerability exists in the BSD kenv command execution, allowing attackers to execute arbitrary code by manipulating the PATH environment variable. This enables remote code execution on BSD and Solaris platforms.

@aikido-autofix

aikido-autofix Bot commented Jun 4, 2026

Copy link
Copy Markdown
Author

Closed by Aikido: a new AutoFix has been created → #23

@aikido-autofix aikido-autofix Bot closed this Jun 4, 2026
@aikido-autofix aikido-autofix Bot deleted the fix/aikido-security-update-packages-38430617-jmnn branch June 4, 2026 00:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants