Is your feature request related to a problem? Please describe.
Cortex 1.21.0 currently vendors google.golang.org/grpc below the scanner-required fixed version for CVE-2026-33186. The vulnerable behavior is that grpc-go versions before 1.79.3 may accept non-canonical HTTP/2 :path values, such as Service/Method instead of /Service/Method, allowing path-based authorization logic to observe a different method string than the router used.
Cortex 1.21.0 currently resolves grpc through its upstream dependency/vendor set:
google.golang.org/grpc v1.78.0 => google.golang.org/grpc v1.71.2
Describe the solution you'd like
Update grpc vendor version to >1.79.3
Is your feature request related to a problem? Please describe.
Cortex 1.21.0 currently vendors google.golang.org/grpc below the scanner-required fixed version for CVE-2026-33186. The vulnerable behavior is that grpc-go versions before 1.79.3 may accept non-canonical HTTP/2 :path values, such as Service/Method instead of /Service/Method, allowing path-based authorization logic to observe a different method string than the router used.
Cortex 1.21.0 currently resolves grpc through its upstream dependency/vendor set:
google.golang.org/grpc v1.78.0 => google.golang.org/grpc v1.71.2Describe the solution you'd like
Update grpc vendor version to >1.79.3