Skip to content

Security: Fix CVE-2026-33186 (google.golang.org/grpc) SRVKP-11970#1660

Merged
vdemeester merged 1 commit into
release-v0.20.xfrom
fix/SRVKP-11970-cve-2026-33186-grpc-release-v0.20.x-attempt-2
May 18, 2026
Merged

Security: Fix CVE-2026-33186 (google.golang.org/grpc) SRVKP-11970#1660
vdemeester merged 1 commit into
release-v0.20.xfrom
fix/SRVKP-11970-cve-2026-33186-grpc-release-v0.20.x-attempt-2

Conversation

@jkhelil
Copy link
Copy Markdown
Member

@jkhelil jkhelil commented May 12, 2026

Summary

This PR fixes CVE-2026-33186 (GHSA-p77j-4mvh-x3m3) on the release-v0.20.x branch by upgrading google.golang.org/grpc from v1.77.0 to v1.79.3.

♻️ Replaces #1659 — same fix, recreated to resolve EasyCLA commit-author mismatch.

CVE Details

  • CVE ID: CVE-2026-33186
  • GHSA: GHSA-p77j-4mvh-x3m3
  • Package: google.golang.org/grpc
  • Severity: CRITICAL (CVSS 9.1)
  • Impact: Authorization bypass via missing leading slash in :path HTTP/2 pseudo-header. Affects gRPC-Go servers using path-based authorization interceptors.
  • Vulnerable versions: < v1.79.3
  • Fixed version: v1.79.3
  • Jira Issues: SRVKP-11970

⚠️ Minor Version Bump Required

No patch release exists in the v1.77.x line that contains this fix. The fix was introduced in v1.79.3.

Co-upgraded dependencies (pulled in by grpc v1.79.3):

  • go.opentelemetry.io/otel v1.38.0 → v1.39.0
  • golang.org/x/oauth2 v0.33.0 → v0.34.0
  • google.golang.org/genproto/googleapis/api (patch)
  • github.com/envoyproxy/protoc-gen-validate v1.2.1 → v1.3.0

Test Results

Status: ⚠️ Pre-existing failures (unrelated to this fix)

2 pre-existing test failures in pkg/chains/signing/x509 caused by missing Fulcio OIDC token files in the local test environment. All other packages: ✅ PASS

Risk Assessment

Category Level Notes
Dependency bump Medium Minor version bump (v1.77→v1.79); no v1.77.x patch available
API compatibility Medium grpc internal API changes between minor versions
Auth behavior Low Fix strengthens auth by rejecting malformed :path headers

🤖 Generated by CVE Fixer Workflow

Resolves: SRVKP-11970

Co-Authored-By: Claude Sonnet 4.6 noreply@anthropic.com

Made with Cursor

@jkhelil @claude @cursoragent
fix(cve): CVE-2026-33186 - upgrade google.golang.org/grpc to v1.79.3
01cc789 
- Update google.golang.org/grpc from v1.77.0 to v1.79.3
- Addresses authorization bypass via missing leading slash in :path
  (GHSA-p77j-4mvh-x3m3, CVE-2026-33186, CVSS 9.1 Critical)
- Co-upgraded: go.opentelemetry.io/otel v1.38.0→v1.39.0,
  golang.org/x/oauth2 v0.33.0→v0.34.0,
  google.golang.org/genproto/googleapis/api (patch)

NOTE: This fix requires upgrading from v1.77.0 to v1.79.3 (minor version bump).
No patch release exists in the v1.77.x line that contains this fix.
The cascade of co-upgrades should be reviewed before merging.

Resolves: SRVKP-11970

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
@jkhelil jkhelil mentioned this pull request May 12, 2026
Closed
5 tasks
@tekton-robot tekton-robot requested review from lcarva and wlynch May 12, 2026 12:33
@tekton-robot tekton-robot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label May 12, 2026
@anithapriyanatarajan
Copy link
Copy Markdown
Contributor

anithapriyanatarajan commented May 14, 2026

/kind misc

@tekton-robot tekton-robot added the kind/misc Categorizes issue or PR as a miscellaneuous one. label May 14, 2026
@anithapriyanatarajan
Copy link
Copy Markdown
Contributor

anithapriyanatarajan commented May 14, 2026

/lgtm

@tekton-robot tekton-robot added the lgtm Indicates that a PR is ready to be merged. label May 14, 2026
@anithapriyanatarajan
Copy link
Copy Markdown
Contributor

anithapriyanatarajan commented May 14, 2026

/approve

vdemeester
vdemeester approved these changes May 18, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@vdemeester vdemeester left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@vdemeester vdemeester added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 18, 2026
@tekton-robot
Copy link
Copy Markdown

tekton-robot commented May 18, 2026

[APPROVALNOTIFIER] This PR is APPROVED

Approval requirements bypassed by manually added approval.

This pull-request has been approved by: anithapriyanatarajan, vdemeester

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@vdemeester vdemeester merged commit ed16f13 into release-v0.20.x May 18, 2026
9 checks passed
@vdemeester vdemeester deleted the fix/SRVKP-11970-cve-2026-33186-grpc-release-v0.20.x-attempt-2 branch May 18, 2026 10:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vdemeester vdemeester vdemeester approved these changes

@lcarva lcarva Awaiting requested review from lcarva

@wlynch wlynch Awaiting requested review from wlynch

Assignees

@vdemeester vdemeester

@anithapriyanatarajan anithapriyanatarajan

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. kind/misc Categorizes issue or PR as a miscellaneuous one. lgtm Indicates that a PR is ready to be merged. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@jkhelil @anithapriyanatarajan @tekton-robot @vdemeester