gh bundles google.golang.org/grpc affected by CVE-2026-33186 (authorization bypass)

[Frostburn2332]

gh currently bundles google.golang.org/grpc at a version affected by CVE-2026-33186 — an authorization bypass caused by a missing leading slash in :path.

The server-side bypass doesn't apply to gh itself (it's a client, not a gRPC server), so this is not directly exploitable in gh's use case. However, image scanners flag gh binaries for this CVE, forcing downstream consumers to suppress it.

The fix is in grpc-go v1.79.3. Could a gh release be cut that picks up grpc-go >= 1.79.3?

Filed to track on our side — happy to share more context if helpful.

[williammartin]

What version of gh are you running against, I think this already went out in https://github.com/cli/cli/releases/tag/v2.90.0 in #13076

[github-actions]

Thank you for your issue! Unfortunately, we are unable to reproduce the issue you are experiencing. Please provide more information so we can help you.

Here are some tips for writing reproduction steps:

• Step by step instructions accompanied by screenshots or screencasts are the best.

• Be as specific as possible; include as much detail as you can.

• If not already provided, include:

  • the version of the application you are using.
  • the operating system you are using
  • any environment factors you can think of.
  • any custom configuration you are using.

• If relevant and can be shared, provide the repository or code you are using.

[github-actions]

Thank you for your issue!
We haven't gotten a response to our questions above. With only the information that is currently in the issue, we don't have enough information to take action. We're going to close this but don't hesitate to reach out if you have or find the answers we need. If you answer our questions above, this issue will automatically reopen.