Skip to content

[1.19] fix: CVE-2026-33186 gRPC-Go auth bypass (HTTP/2 path validation)#1117

Merged
openshift-merge-bot[bot] merged 1 commit intoredhat-developer:v1.19from
Rizwana777:1.19-cve-fix
Apr 8, 2026
Merged

[1.19] fix: CVE-2026-33186 gRPC-Go auth bypass (HTTP/2 path validation)#1117
openshift-merge-bot[bot] merged 1 commit intoredhat-developer:v1.19from
Rizwana777:1.19-cve-fix

Conversation

@Rizwana777
Copy link
Copy Markdown
Collaborator

@Rizwana777 Rizwana777 commented Apr 6, 2026

What type of PR is this?
/kind bug

What does this PR do / why we need it:
Bump google.golang.org/grpc to v1.79.3 on the v1.19 branch to address CVE-2026-33186 (HTTP/2 :path handling leading to authorization bypass in affected gRPC-Go server configurations)

Have you updated the necessary documentation?

  • Documentation update is required by this PR.
  • Documentation has been updated.

Which issue(s) this PR fixes:

Fixes #?
http://redhat.atlassian.net/browse/GITOPS-9328

@Rizwana777
[1.19] fix: CVE-2026-33186 gRPC-Go auth bypass (HTTP/2 path validation)
a457f7c 
Signed-off-by: Rizwana777 <rizwananaaz177@gmail.com>
@openshift-ci openshift-ci bot added the kind/bug Something isn't working label Apr 6, 2026
@openshift-ci openshift-ci bot requested review from jannfis and jgwest April 6, 2026 10:12
@Rizwana777
Copy link
Copy Markdown
Collaborator Author

Rizwana777 commented Apr 7, 2026

/retest

@svghadi
Copy link
Copy Markdown
Member

svghadi commented Apr 8, 2026

/approve
/lgtm

@openshift-ci openshift-ci bot added the lgtm label Apr 8, 2026
@openshift-ci
Copy link
Copy Markdown

openshift-ci bot commented Apr 8, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: svghadi

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved label Apr 8, 2026
@svghadi
Copy link
Copy Markdown
Member

svghadi commented Apr 8, 2026

Do we need to make this fix in argocd-operator aswell?

@openshift-merge-bot openshift-merge-bot bot merged commit c6d0079 into redhat-developer:v1.19 Apr 8, 2026
11 checks passed
@Rizwana777
Copy link
Copy Markdown
Collaborator Author

Rizwana777 commented Apr 8, 2026

Do we need to make this fix in argocd-operator aswell?

argocd-operator already have fixed version of grpc which 1.79.3
https://github.com/argoproj-labs/argocd-operator/blob/master/go.mod#L178

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jannfis jannfis Awaiting requested review from jannfis

@jgwest jgwest Awaiting requested review from jgwest

Assignees

@svghadi svghadi

Labels

approved kind/bug Something isn't working lgtm

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Rizwana777 @svghadi