[Release-4.18] OCPBUGS-80304: Update grpc-go to v1.71.3-sec.1 to fix CVE-2026-33186

[MrSanketkumar]

Summary

Fixes CVE-2026-33186 by updating grpc to patched version v1.71.3-sec.1 from openshift-sustaining fork.

Changes

• Main module: google.golang.org/grpc => github.com/openshift-sustaining/grpc-go v1.71.3-sec.1
• openshift/default-catalog-consistency: google.golang.org/grpc => github.com/openshift-sustaining/grpc-go v1.71.3-sec.1
• Updated vendor directories

Summary by CodeRabbit

• Chores
  • Updated core infrastructure dependencies to latest stable versions for improved compatibility and security.
  • Applied security patches to gRPC implementation.

[openshift-ci-robot]

@MrSanketkumar: This pull request references Jira Issue OCPBUGS-80304, which is invalid:

• expected dependent Jira Issue OCPBUGS-80485 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but it is ON_QA instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Summary

Fixes CVE-2026-33186 by updating grpc to patched version v1.71.3-sec.1 from openshift-sustaining fork.

Changes

• Main module: google.golang.org/grpc => github.com/openshift-sustaining/grpc-go v1.71.3-sec.1
• openshift/default-catalog-consistency: google.golang.org/grpc => github.com/openshift-sustaining/grpc-go v1.71.3-sec.1
• Updated vendor directories

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

This PR updates Go module dependencies across two go.mod files. It bumps OpenTelemetry, OAuth2, and Google package versions to newer releases, and applies a gRPC security patch by replacing google.golang.org/grpc with github.com/openshift-sustaining/grpc-go v1.71.3-sec.1 consistently in both the main module and transitive dependencies.

Changes

Dependency Updates and Security Overrides

Layer / File(s)	Summary
OpenTelemetry and OAuth2 version bumps go.mod	OpenTelemetry auto/sdk, core, metric, trace, and OTLP exporter packages are bumped to newer releases, and golang.org/x/oauth2 is updated from v0.22.0 to v0.25.0.
Google packages and gRPC security patch override go.mod	google.golang.org/genproto, google.golang.org/grpc, and google.golang.org/protobuf are bumped to newer versions, and a replace directive pins google.golang.org/grpc to github.com/openshift-sustaining/grpc-go v1.71.3-sec.1.
Transitive module dependency synchronization openshift/default-catalog-consistency/go.mod	Matching dependency version bumps and gRPC replace directive are applied to keep transitive dependencies in sync with the main module.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• openshift/operator-framework-operator-controller#727: Both PRs update google.golang.org/grpc and related google.golang.org/* and telemetry module versions in the same go.mod files.
• openshift/operator-framework-operator-controller#731: Both PRs modify the google.golang.org/grpc dependency via a replace directive in go.mod, switching it to github.com/openshift-sustaining/grpc-go with a patched version.

Suggested labels

lgtm, approved, jira/valid-bug, backport-risk-assessed, verified

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (2 errors)

Check name	Status	Explanation	Resolution
Stable And Deterministic Test Names	❌ Error	Test name uses fmt.Sprintf with dynamic variable in ./openshift/default-catalog-consistency/test/validate/suite_test.go line 58: It(fmt.Sprintf("validates image: %s", name), func() {...})	Replace fmt.Sprintf test title with static strings; move image validation logic to parameterized tests or generate test names from static strings without fmt.Sprintf.
Ote Binary Stdout Contract	❌ Error	fmt.Println() in suite setup at openshift/default-catalog-consistency/test/validate/suite_test.go:51 violates OTE stdout contract by writing JSON-incompatible output during Describe initialization.	Replace fmt.Println() with GinkgoWriter.Printf() or remove debug logging to comply with OTE Binary Stdout Contract.

✅ Passed checks (10 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: updating grpc-go to a specific patched version to fix a CVE vulnerability, with release branch context.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Test Structure And Quality	✅ Passed	PR adds repository with only 2 Ginkgo test files meeting quality standards: single responsibility per It block, setup via BeforeEach, meaningful assertions, and consistent patterns with codebase.
Microshift Test Compatibility	✅ Passed	PR only modifies go.mod dependency versions (CVE-2026-33186 grpc fix); no new e2e tests added, so MicroShift compatibility check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	The PR adds only unit tests (registryv1_test.go using Ginkgo) that create in-memory Kubernetes objects without cluster interaction. No multi-node assumptions detected; fully SNO-compatible.
Topology-Aware Scheduling Compatibility	✅ Passed	PR only updates Go dependency versions in go.mod files; does not modify deployment manifests, operator code, or controllers with scheduling constraints.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR contains only go.mod dependency updates and vendor directory changes; no new Ginkgo e2e tests are added, making this check not applicable.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.12.2)

Error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions
The command is terminated due to an error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[MrSanketkumar]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Line 218: Update the indirect dependency entry for golang.org/x/oauth2 in
go.mod from v0.25.0 to v0.27.0 (or later) to pick up security fixes; run `go get
golang.org/x/oauth2@v0.27.0` (or newer) and then `go mod tidy` to update go.sum
and ensure the module graph is consistent so the go.mod line for
golang.org/x/oauth2 reflects the new version.
- Line 216: Update the pinned dependency for golang.org/x/crypto in go.mod from
v0.32.0 to a non-vulnerable version (at least v0.35.0, preferably v0.52.0); edit
the golang.org/x/crypto module line in go.mod to the chosen safe version and run
go mod tidy to update go.sum and ensure the lockfile reflects the new version.
- Around line 206-213: Update the vulnerable module entry
go.opentelemetry.io/otel/sdk (currently pinned as v1.34.0) to a patched release
(at least v1.40.0); change the version in go.mod to v1.40.0 (or later), then run
go get go.opentelemetry.io/otel/sdk@v1.40.0 and go mod tidy to refresh go.sum
and ensure dependency compatibility; verify related otel packages (e.g.,
go.opentelemetry.io/otel/metric, go.opentelemetry.io/otel/trace) remain
compatible after the bump.
- Around line 227-230: The go.mod replace for google.golang.org/grpc points to
github.com/openshift-sustaining/grpc-go v1.71.3-sec.1 but the review warns
CVE-2026-33186 is fixed in gRPC-Go v1.79.3; verify and ensure the fork/tag you
reference actually includes the HTTP/2 :path leading-slash authorization-bypass
fix (strict path handling/backport) or update the replace to a tag that is
proven to contain the patch (e.g., a fork/tag that backports the CVE or upgrade
to upstream v1.79.3+); update go.mod replace directive accordingly and add a
brief comment documenting the evidence (commit/tag or CVE backport reference)
proving the chosen version includes the fix.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: fa4b2bdd-7a76-42ee-ae19-8f280dc31b4e

📥 Commits

Reviewing files that changed from the base of the PR and between 48a1e92 and 302a036.

⛔ Files ignored due to path filters (222)

• go.sum is excluded by !**/*.sum
• openshift/default-catalog-consistency/go.sum is excluded by !**/*.sum
• openshift/default-catalog-consistency/vendor/golang.org/x/oauth2/README.md is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/golang.org/x/oauth2/oauth2.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/golang.org/x/oauth2/token.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/CONTRIBUTING.md is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/balancer/balancer.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/balancer/base/balancer.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/balancer/pickfirst/pickfirst.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/balancer/roundrobin/roundrobin.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/balancer_wrapper.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/binarylog/grpc_binarylog_v1/binarylog.pb.go is excluded by !**/*.pb.go, !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/clientconn.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/codec.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/credentials/tls.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/dialoptions.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/experimental/stats/metricregistry.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/experimental/stats/metrics.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/grpclog/internal/loggerv2.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/internal/backoff/backoff.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/internal/balancer/gracefulswitch/config.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/internal/balancer/gracefulswitch/gracefulswitch.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/internal/channelz/channel.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/internal/channelz/server.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/internal/channelz/socket.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/internal/channelz/subchannel.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/internal/channelz/trace.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/internal/envconfig/envconfig.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/internal/envconfig/xds.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/internal/grpcsync/callback_serializer.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/internal/grpcsync/oncefunc.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/internal/grpcutil/method.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/internal/idle/idle.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/internal/internal.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/internal/resolver/dns/dns_resolver.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/internal/stats/metrics_recorder_list.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/internal/status/status.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/internal/transport/flowcontrol.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/internal/transport/handler_server.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/internal/transport/http2_client.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/internal/transport/http2_server.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/internal/transport/http_util.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/internal/transport/proxy.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/internal/transport/transport.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/mem/buffer_slice.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/mem/buffers.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/picker_wrapper.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/preloader.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/resolver/map.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/resolver/resolver.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/resolver_wrapper.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/rpc_util.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/server.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/service_config.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/stats/stats.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/stream.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/version.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/protobuf/encoding/protojson/decode.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/protobuf/encoding/prototext/decode.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/protobuf/internal/flags/flags.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/protobuf/internal/impl/codec_map.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/protobuf/internal/impl/codec_map_go111.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/protobuf/internal/impl/codec_map_go112.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/protobuf/internal/impl/codec_message.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/protobuf/internal/impl/codec_message_opaque.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/protobuf/internal/impl/convert_map.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/protobuf/internal/impl/message.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/protobuf/internal/impl/message_opaque.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/protobuf/internal/impl/message_reflect_field.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/protobuf/internal/impl/pointer_unsafe.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/protobuf/internal/version/version.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/protobuf/proto/decode.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/protobuf/reflect/protodesc/desc_validate.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/protobuf/reflect/protodesc/editions.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/protobuf/types/descriptorpb/descriptor.pb.go is excluded by !**/*.pb.go, !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/protobuf/types/gofeaturespb/go_features.pb.go is excluded by !**/*.pb.go, !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/protobuf/types/known/anypb/any.pb.go is excluded by !**/*.pb.go, !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/protobuf/types/known/durationpb/duration.pb.go is excluded by !**/*.pb.go, !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/protobuf/types/known/timestamppb/timestamp.pb.go is excluded by !**/*.pb.go, !**/vendor/**
• openshift/default-catalog-consistency/vendor/modules.txt is excluded by !**/vendor/**
• vendor/go.opentelemetry.io/otel/.gitignore is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/.golangci.yml is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/CODEOWNERS is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/CONTRIBUTING.md is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/Makefile is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/RELEASING.md is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/VERSIONING.md is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/attribute/set.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/baggage/baggage.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/codes/codes.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/internal/attribute/attribute.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/internal/global/instruments.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/internal/global/meter.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/internal/global/trace.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/internal/rawhelpers.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/metric/asyncfloat64.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/metric/asyncint64.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/metric/instrument.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/renovate.json is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/instrumentation/scope.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/auto.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/builtin.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/host_id_windows.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/os_windows.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/batch_span_processor.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/evictedqueue.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/provider.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/sampler_env.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/span.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/version.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/config.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/context.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/verify_examples.sh is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/version.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/versions.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/oauth2/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/oauth2/oauth2.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/oauth2/token.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/genproto/googleapis/api/httpbody/httpbody.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/genproto/googleapis/rpc/errdetails/error_details.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/CONTRIBUTING.md is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/balancer/balancer.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/balancer/base/balancer.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/balancer/pickfirst/pickfirst.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/balancer/roundrobin/roundrobin.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/balancer_wrapper.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/binarylog/grpc_binarylog_v1/binarylog.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/clientconn.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/codec.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/credentials/tls.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/dialoptions.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/experimental/stats/metricregistry.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/experimental/stats/metrics.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/grpclog/internal/loggerv2.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/health/grpc_health_v1/health.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/backoff/backoff.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/balancer/gracefulswitch/config.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/balancer/gracefulswitch/gracefulswitch.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/channelz/channel.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/channelz/server.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/channelz/socket.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/channelz/subchannel.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/channelz/trace.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/envconfig/envconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/envconfig/xds.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/grpcsync/callback_serializer.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/grpcsync/oncefunc.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/grpcutil/method.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/idle/idle.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/internal.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/resolver/dns/dns_resolver.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/stats/metrics_recorder_list.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/status/status.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/transport/flowcontrol.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/transport/handler_server.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/transport/http2_client.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/transport/http2_server.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/transport/http_util.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/transport/proxy.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/transport/transport.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/mem/buffer_slice.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/mem/buffers.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/picker_wrapper.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/preloader.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/resolver/map.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/resolver/resolver.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/resolver_wrapper.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/rpc_util.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/server.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/service_config.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/stats/stats.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/stream.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/version.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/encoding/protojson/decode.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/encoding/prototext/decode.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/internal/editiondefaults/editions_defaults.binpb is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/internal/editionssupport/editions.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/internal/errors/is_go112.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/internal/errors/is_go113.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/internal/filedesc/desc.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/internal/filedesc/editions.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/internal/flags/flags.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/internal/genid/go_features_gen.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/internal/impl/checkinit.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/internal/impl/codec_map.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/internal/impl/codec_map_go111.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/internal/impl/codec_map_go112.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/internal/impl/codec_message.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/internal/impl/convert_map.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/internal/impl/decode.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/internal/impl/encode.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/internal/impl/merge.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/internal/impl/message.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/internal/impl/message_reflect.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/internal/impl/message_reflect_field.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/internal/impl/pointer_unsafe.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/internal/impl/validate.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/internal/version/version.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/proto/decode.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/proto/encode.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/proto/size.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/reflect/protodesc/desc.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/reflect/protodesc/desc_validate.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/reflect/protodesc/editions.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/reflect/protoreflect/value.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/runtime/protoiface/methods.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/runtime/protoimpl/impl.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/types/descriptorpb/descriptor.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/types/dynamicpb/types.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/types/gofeaturespb/go_features.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/types/known/anypb/any.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/types/known/durationpb/duration.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/types/known/emptypb/empty.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/types/known/fieldmaskpb/field_mask.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/types/known/structpb/struct.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/types/known/timestamppb/timestamp.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/types/known/wrapperspb/wrappers.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/modules.txt is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (2)

• go.mod
• openshift/default-catalog-consistency/go.mod

[coderabbitai]

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

🧩 Analysis chain

🌐 Web query:

go.opentelemetry.io/otel/sdk 1.34.0 vulnerability PATH hijacking GO-2026-4394

💡 Result:

GO-2026-4394 describes an OpenTelemetry Go SDK vulnerability where local PATH hijacking can lead to arbitrary code execution (ACE). 1) What’s affected - Vulnerable module: go.opentelemetry.io/otel/sdk. - OS/file: the vulnerability is about PATH hijacking when the SDK executes system commands during resource detection (host ID collection). An advisory example describes macOS/Darwin “ioreg” being executed via PATH lookup, where a locally set PATH can cause execution of a attacker-controlled binary instead [1]. 2) Why it’s vulnerable (PATH hijacking / untrusted search path) - The issue class is “Untrusted Search Path” (CWE-426) where commands are executed using a search path rather than an absolute path, so a malicious executable earlier in PATH can be invoked [1]. - The OpenTelemetry advisories explain the exploit requires local ability to modify PATH so that the SDK’s command resolution picks the attacker’s binary [1]. 3) Range in the vulnerability database - OSV’s entry for GO-2026-4394 states the OpenTelemetry Go SDK is vulnerable from 1.21.0 (introduced) until 1.40.0 (fixed) [2]. - This means go.opentelemetry.io/otel/sdk v1.34.0 is within the vulnerable range (>= 1.21.0 and < 1.40.0) [2][3]. 4) Fixed version / remediation - Upgrade to go.opentelemetry.io/otel/sdk v1.40.0 or later; OSV lists 1.40.0 as the fixed version for GO-2026-4394 [2]. - The upstream advisory for the related PATH-hijacking issue also states it is patched in the release that shipped v1.40.0 [1]. 5) Practical mitigation if you can’t upgrade immediately - Prevent local attackers from influencing PATH (or run in an environment where PATH cannot be modified by untrusted users), because the core condition is the ability to locally modify PATH so the SDK executes an attacker-controlled binary [1]. Note on naming: the OpenTelemetry repo has multiple advisories around PATH hijacking; the one that explicitly references ioreg on macOS/Darwin is GHSA-9h8m-3fm2-qjrq (CVE-2026-24051), and it aligns with the same overall class and fix timeline that OSV captures under GO-2026-4394 [2][1].

Citations:

• 1: GHSA-9h8m-3fm2-qjrq
• 2: https://osv.dev/vulnerability/GO-2026-4394
• 3: https://pkg.go.dev/go.opentelemetry.io/otel/sdk@v1.34.0

---

Bump go.opentelemetry.io/otel/sdk from v1.34.0 to a patched release (v1.40.0+) to fix PATH-hijacking arbitrary code execution.

• go.opentelemetry.io/otel/sdk v1.34.0 is within the vulnerable range for GO-2026-4394 / GHSA-9h8m-3fm2-qjrq (patched in v1.40.0).
• The fixed version for GHSA-hfvc-g4fc-pqhx isn’t established from the available evidence; still please ensure the upgrade covers that advisory as well.

🧰 Tools

🪛 OSV Scanner (2.3.8)

[HIGH] 212-212: go.opentelemetry.io/otel/sdk 1.34.0: OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking in go.opentelemetry.io/otel/sdk

(GO-2026-4394)

---

[HIGH] 212-212: go.opentelemetry.io/otel/sdk 1.34.0: OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking

(GHSA-9h8m-3fm2-qjrq)

---

[HIGH] 212-212: go.opentelemetry.io/otel/sdk 1.34.0: opentelemetry-go: BSD kenv command not using absolute path enables PATH hijacking

(GHSA-hfvc-g4fc-pqhx)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` around lines 206 - 213, Update the vulnerable module entry
go.opentelemetry.io/otel/sdk (currently pinned as v1.34.0) to a patched release
(at least v1.40.0); change the version in go.mod to v1.40.0 (or later), then run
go get go.opentelemetry.io/otel/sdk@v1.40.0 and go mod tidy to refresh go.sum
and ensure dependency compatibility; verify related otel packages (e.g.,
go.opentelemetry.io/otel/metric, go.opentelemetry.io/otel/trace) remain
compatible after the bump.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

🧩 Analysis chain

🌐 Web query:

golang.org/x/crypto 0.32.0 vulnerabilities GO-2025-3487 latest patched version

💡 Result:

For golang.org/x/crypto, the latest patched version as of 2026-05-25 is v0.52.0 (go.dev/pkglatest). [1] GO-2025-3487 affects golang.org/x/crypto. It was published Feb 26, 2025, and the affected versions are “before v0.35.0”; i.e., v0.35.0 is the first patched release for this specific issue. [2] So for a project currently using golang.org/x/crypto v0.32.0, it is affected by GO-2025-3487, and should be upgraded to at least v0.35.0 (preferably to the newest available: v0.52.0). [2][3][1]

Citations:

• 1: https://pkg.go.dev/golang.org/x/crypto
• 2: https://pkg.go.dev/vuln/GO-2025-3487
• 3: https://pkg.go.dev/golang.org/x/crypto@v0.32.0

---

Update golang.org/x/crypto in go.mod—v0.32.0 is affected by GO-2025-3487.
go.mod pins golang.org/x/crypto v0.32.0, and GO-2025-3487 affects versions before v0.35.0; upgrade to at least v0.35.0 (latest patched: v0.52.0).

golang.org/x/crypto v0.32.0 // indirect

🧰 Tools

🪛 OSV Scanner (2.3.8)

[HIGH] 216-216: golang.org/x/crypto 0.32.0: Potential denial of service in golang.org/x/crypto

(GO-2025-3487)

---

[HIGH] 216-216: golang.org/x/crypto 0.32.0: Potential denial of service in golang.org/x/crypto/ssh/agent

(GO-2025-4116)

---

[HIGH] 216-216: golang.org/x/crypto 0.32.0: Unbounded memory consumption in golang.org/x/crypto/ssh

(GO-2025-4134)

---

[HIGH] 216-216: golang.org/x/crypto 0.32.0: Malformed constraint may cause denial of service in golang.org/x/crypto/ssh/agent

(GO-2025-4135)

---

[HIGH] 216-216: golang.org/x/crypto 0.32.0: Invoking key constraints not enforced in golang.org/x/crypto/ssh/agent

(GO-2026-5005)

---

[HIGH] 216-216: golang.org/x/crypto 0.32.0: Invoking agent constraints dropped when forwarding keys in golang.org/x/crypto/ssh/agent

(GO-2026-5006)

---

[HIGH] 216-216: golang.org/x/crypto 0.32.0: Invoking byte arithmetic causes underflow and panic in golang.org/x/crypto/ssh

(GO-2026-5013)

---

[HIGH] 216-216: golang.org/x/crypto 0.32.0: Invoking bypass of certificate restrictions in golang.org/x/crypto/ssh

(GO-2026-5014)

---

[HIGH] 216-216: golang.org/x/crypto 0.32.0: Invoking server panic during CheckHostKey/Authenticate in golang.org/x/crypto/ssh

(GO-2026-5015)

---

[HIGH] 216-216: golang.org/x/crypto 0.32.0: Invoking memory leak when rejecting channels can lead to DoS in golang.org/x/crypto/ssh

(GO-2026-5016)

---

[HIGH] 216-216: golang.org/x/crypto 0.32.0: Invoking client can cause server deadlock on unexpected responses in golang.org/x/crypto/ssh

(GO-2026-5017)

---

[HIGH] 216-216: golang.org/x/crypto 0.32.0: Invoking pathological RSA/DSA parameters may cause DoS in golang.org/x/crypto/ssh

(GO-2026-5018)

---

[HIGH] 216-216: golang.org/x/crypto 0.32.0: Invoking bypass of FIDO/U2F security keys physical interaction in golang.org/x/crypto/ssh

(GO-2026-5019)

---

[HIGH] 216-216: golang.org/x/crypto 0.32.0: Invoking infinite loop on large channel writes in golang.org/x/crypto/ssh

(GO-2026-5020)

---

[HIGH] 216-216: golang.org/x/crypto 0.32.0: Invoking auth bypass via unenforced @revoked status in golang.org/x/crypto/ssh/knownhosts

(GO-2026-5021)

---

[HIGH] 216-216: golang.org/x/crypto 0.32.0: Invoking VerifiedPublicKeyCallback permissions skip enforcement in golang.org/x/crypto/ssh

(GO-2026-5023)

---

[HIGH] 216-216: golang.org/x/crypto 0.32.0: Invoking pathological inputs can lead to client panic in golang.org/x/crypto/ssh/agent

(GO-2026-5033)

---

[HIGH] 216-216: golang.org/x/crypto 0.32.0: golang.org/x/crypto/ssh/agent vulnerable to panic if message is malformed due to out of bounds read

(GHSA-f6x5-jh6r-wrfv)

---

[HIGH] 216-216: golang.org/x/crypto 0.32.0: golang.org/x/crypto Vulnerable to Denial of Service (DoS) via Slow or Incomplete Key Exchange

(GHSA-hcg3-q754-cr77)

---

[HIGH] 216-216: golang.org/x/crypto 0.32.0: golang.org/x/crypto/ssh allows an attacker to cause unbounded memory consumption

(GHSA-j5w8-q4qc-rx2x)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 216, Update the pinned dependency for golang.org/x/crypto in
go.mod from v0.32.0 to a non-vulnerable version (at least v0.35.0, preferably
v0.52.0); edit the golang.org/x/crypto module line in go.mod to the chosen safe
version and run go mod tidy to update go.sum and ensure the lockfile reflects
the new version.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

🧩 Analysis chain

🌐 Web query:

golang.org/x/oauth2 0.25.0 vulnerability GO-2025-3488 memory consumption

💡 Result:

For golang.org/x/oauth2 version v0.25.0, the relevant memory-consumption vulnerability is documented in Go vulnerability record GO-2025-3488 (CVE-2025-22868): an attacker can send a malicious malformed token that causes unexpected memory consumption during parsing, i.e., a denial-of-service style issue [1][2]. Affected versions: the Go vulnerability entry states it affects golang.org/x/oauth2 before v0.27.0 (introduced fixed at 0.27.0) [1][3][2]. Therefore, v0.25.0 is within the affected range [1]. Fix / remediation: the Go security announcement for this issue says they tagged v0.27.0 to address the security issue in the golang.org/x/oauth2/jws package, with version v0.27.0 fixing the problem [2]. (OSV/Go vuln pages also show the fix at 0.27.0) [1][3]. Memory consumption details (what the issue is): the Go vuln entry describes “unexpected memory to be consumed during parsing” when parsing a malformed token [1]. The pkg.go.dev vuln entry additionally summarizes it as “Unexpected memory consumption during token parsing in golang.org/x/oauth2” [3].

Citations:

• 1: https://pkg.go.dev/vuln/GO-2025-3488
• 2: https://groups.google.com/g/golang-announce/c/wImnF7NFhJE
• 3: https://osv.dev/vulnerability/GO-2025-3488

---

🌐 Web query:

GHSA-6v2p-p543-phr9 golang.org/x/oauth2 affected fixed version

💡 Result:

For GHSA-6v2p-p543-phr9 affecting golang.org/x/oauth2, the fixed version is 0.27.0, and the affected range is versions from 0 up to (but not including) 0.27.0 (i.e., fixed starting at 0.27.0). [1][2][3] So, to remediate on today’s date (2026-05-25), upgrade golang.org/x/oauth2 to version 0.27.0 or later. [1][2][3]

Citations:

• 1: https://cve.circl.lu/vuln/ghsa-6v2p-p543-phr9
• 2: https://osv.dev/vulnerability/GHSA-6v2p-p543-phr9
• 3: GHSA-6v2p-p543-phr9

---

Update golang.org/x/oauth2 to pick up security fixes (currently v0.25.0 is affected)

go.mod currently pins golang.org/x/oauth2 v0.25.0 // indirect, which is affected by:

• GO-2025-3488 (fixed in v0.27.0)
• GHSA-6v2p-p543-phr9 (fixed in v0.27.0; affected < 0.27.0)

Upgrade golang.org/x/oauth2 to v0.27.0 or later.

golang.org/x/oauth2 v0.25.0 // indirect

🧰 Tools

🪛 OSV Scanner (2.3.8)

[HIGH] 218-218: golang.org/x/oauth2 0.25.0: Unexpected memory consumption during token parsing in golang.org/x/oauth2

(GO-2025-3488)

---

[HIGH] 218-218: golang.org/x/oauth2 0.25.0: golang.org/x/oauth2 Improper Validation of Syntactic Correctness of Input vulnerability

(GHSA-6v2p-p543-phr9)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 218, Update the indirect dependency entry for
golang.org/x/oauth2 in go.mod from v0.25.0 to v0.27.0 (or later) to pick up
security fixes; run `go get golang.org/x/oauth2@v0.27.0` (or newer) and then `go
mod tidy` to update go.sum and ensure the module graph is consistent so the
go.mod line for golang.org/x/oauth2 reflects the new version.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🌐 Web query:

CVE-2026-33186 grpc-go details

💡 Result:

CVE-2026-33186 is a gRPC-Go authorization bypass caused by improper validation of the HTTP/2:path pseudo-header (missing the mandatory leading slash). When a request is sent with:path like “Service/Method” instead of “/Service/Method”, gRPC-Go routes it correctly, but path-based authorization interceptors (including google.golang.org/grpc/authz) evaluate the raw non-canonical path. As a result, “deny” rules that target canonical paths (starting with “/”) fail to match, which can allow the request to proceed if a fallback “allow” policy exists [1][2]. Affected versions / fixed version: gRPC-Go versions prior to v1.79.3 are vulnerable; v1.79.3 contains the fix [1][3]. Technical root cause (as described in sources): gRPC-Go’s server transport/routing layer was overly lenient about:path formatting, allowing requests where the:path omitted the leading slash to reach authorization logic using the non-canonical value [1][2]. What the fix does: the fix rejects requests whose:path does not start with “/” by immediately returning a gRPC error (codes.Unimplemented), preventing malformed paths from reaching authorization interceptors or handlers [1][4]. The grpc-go PR notes this as “strict path checking” in Server.handleStream and mentions a temporary opt-out env var GRPC_GO_EXPERIMENTAL_DISABLE_STRICT_PATH_CHECKING=true [4]. Who is impacted (conditions for exploitation): gRPC-Go servers that use path-based authorization interceptors (including the official authz RBAC) and have security policies with specific “deny” rules for canonical paths, but permissive fallback behavior (e.g., a fallback allow) [1]. Exploitation requires an attacker that can send raw HTTP/2 frames with malformed:path headers directly to the gRPC server (no credentials/prior state is implied in NVD-style description) [1]. Practical mitigation: 1) Upgrade to grpc-go / google.golang.org/grpc v1.79.3 or later [1]. 2) If upgrading isn’t immediately possible, apply mitigations mentioned in NVD: use a validating interceptor (recommended), normalize at the infrastructure layer, and/or harden policy [1]. Examples from downstream ecosystems: Traefik advisory indicates the fix propagates by bumping its dependency to gRPC-Go versions containing the patch; it lists affected Traefik versions and patched Traefik versions (v2.11.42, v3.6.12, v3.7.0-ea.3) [5].

Citations:

• 1: https://nvd.nist.gov/vuln/detail/CVE-2026-33186
• 2: https://www.sentinelone.com/vulnerability-database/cve-2026-33186/
• 3: security: CVE-2026-33186 — google.golang.org/grpc Authorization Bypass (CVSS 9.1 Critical) DataDog/datadog-agent#48151
• 4: Cherry pick fix for CVE-2026-33186 for 1.66.x (grpc-ui vuln.) grpc/grpc-go#9024
• 5: GHSA-46wh-3698-f2cx

---

🏁 Script executed:

#!/bin/bash
# Verify the openshift-sustaining grpc-go security patch version exists
echo "Checking if github.com/openshift-sustaining/grpc-go v1.71.3-sec.1 exists..."
go list -m -versions github.com/openshift-sustaining/grpc-go 2>&1 | head -20

# Check the CVE advisory using GitHub CLI
echo -e "\nChecking for gRPC security advisories..."
gh api graphql -f query='
{
  securityVulnerabilities(first: 10, ecosystem: GO, package: "google.golang.org/grpc") {
    nodes {
      advisory {
        summary
        severity
        publishedAt
        identifiers {
          type
          value
        }
      }
      vulnerableVersionRange
      firstPatchedVersion {
        identifier
      }
    }
  }
}'

Repository: openshift/operator-framework-operator-controller

Length of output: 1877

---

CVE-2026-33186 is fixed in gRPC-Go 1.79.3; ensure the fork/tag you replace to actually includes that patch

• CVE-2026-33186 (GHSA-p77j-4mvh-x3m3) is a gRPC-Go authorization bypass caused by HTTP/2 :path missing the leading /; advisories indicate versions < 1.79.3 are vulnerable and the first patched version is 1.79.3.
• The go.mod replace google.golang.org/grpc => github.com/openshift-sustaining/grpc-go v1.71.3-sec.1 directive should be backed by evidence that v1.71.3-sec.1 contains the same authorization bypass fix (strict path handling/backport) and that it’s the correct intended security backport for the release-4.18 branch.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` around lines 227 - 230, The go.mod replace for google.golang.org/grpc
points to github.com/openshift-sustaining/grpc-go v1.71.3-sec.1 but the review
warns CVE-2026-33186 is fixed in gRPC-Go v1.79.3; verify and ensure the fork/tag
you reference actually includes the HTTP/2 :path leading-slash
authorization-bypass fix (strict path handling/backport) or update the replace
to a tag that is proven to contain the patch (e.g., a fork/tag that backports
the CVE or upgrade to upstream v1.79.3+); update go.mod replace directive
accordingly and add a brief comment documenting the evidence (commit/tag or CVE
backport reference) proving the chosen version includes the fix.

[openshift-ci]

@MrSanketkumar: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[MrSanketkumar]

/jira refresh

[openshift-ci-robot]

@MrSanketkumar: This pull request references Jira Issue OCPBUGS-80304, which is invalid:

• expected dependent Jira Issue OCPBUGS-80485 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but it is ON_QA instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[MrSanketkumar]

/jira refresh

[openshift-ci-robot]

@MrSanketkumar: This pull request references Jira Issue OCPBUGS-80304, which is valid. The bug has been moved to the POST state.

7 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.18.z) matches configured target version for branch (4.18.z)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)
• release note text is set and does not match the template
• dependent bug Jira Issue OCPBUGS-80485 is in the state Verified, which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA))
• dependent Jira Issue OCPBUGS-80485 targets the "4.19.z" version, which is one of the valid target versions: 4.19.0, 4.19.z
• bug has dependents

No GitHub users were found matching the public email listed for the QA contact in Jira (ocp-sustaining-admins@redhat.com), skipping review request.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[UdayYendva]

/label veriifed

[openshift-ci]

@UdayYendva: The label(s) /label veriifed cannot be applied. These labels are supported: acknowledge-critical-fixes-only, platform/aws, platform/azure, platform/baremetal, platform/google, platform/libvirt, platform/openstack, ga, tide/merge-method-merge, tide/merge-method-rebase, tide/merge-method-squash, px-approved, docs-approved, qe-approved, ux-approved, no-qe, rebase/manual, cluster-config-api-changed, run-integration-tests, verified, ready-for-human-review, approved, backport-risk-assessed, bugzilla/valid-bug, cherry-pick-approved, jira/skip-dependent-bug-check, jira/valid-bug, ok-to-test, stability-fix-approved, staff-eng-approved. Is this label configured under labels -> additional_labels or labels -> restricted_labels in plugin.yaml?

Details

In response to this:

/label veriifed

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[rissh]

/verified by ci

[openshift-ci-robot]

@rissh: This PR has been marked as verified by ci.

Details

In response to this:

/verified by ci

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[perdasilva]

/approve

[perdasilva]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: MrSanketkumar, perdasilva

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• DOWNSTREAM_OWNERS [perdasilva]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[prabhapa]

/label backport-risk-assessed

[openshift-ci-robot]

@MrSanketkumar: Jira Issue Verification Checks: Jira Issue OCPBUGS-80304
✔️ This pull request was pre-merge verified.
✔️ All associated pull requests have merged.
✔️ All associated, merged pull requests were pre-merge verified.

Jira Issue OCPBUGS-80304 has been moved to the MODIFIED state and will move to the VERIFIED state when the change is available in an accepted nightly payload. 🕓

Details

In response to this:

Summary

Fixes CVE-2026-33186 by updating grpc to patched version v1.71.3-sec.1 from openshift-sustaining fork.

Changes

• Main module: google.golang.org/grpc => github.com/openshift-sustaining/grpc-go v1.71.3-sec.1
• openshift/default-catalog-consistency: google.golang.org/grpc => github.com/openshift-sustaining/grpc-go v1.71.3-sec.1
• Updated vendor directories

Summary by CodeRabbit

• Chores
• Updated core infrastructure dependencies to latest stable versions for improved compatibility and security.
• Applied security patches to gRPC implementation.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-merge-robot]

Fix included in release 4.18.0-0.nightly-2026-05-26-171704