Skip to content

fix: upgrade google.golang.org/grpc to v1.79.3 (CVE-2026-33186)#25262

Merged
Shelnutt2 merged 1 commit into
release/2.29from
sshelnutt/ent-62-grpc-upgrade-v229
May 13, 2026
Merged

fix: upgrade google.golang.org/grpc to v1.79.3 (CVE-2026-33186)#25262
Shelnutt2 merged 1 commit into
release/2.29from
sshelnutt/ent-62-grpc-upgrade-v229

Conversation

@Shelnutt2
Copy link
Copy Markdown
Contributor

@Shelnutt2 Shelnutt2 commented May 13, 2026

Summary

Upgrades google.golang.org/grpc from v1.78.0 to v1.79.3 on the release/2.29 branch to remediate CVE-2026-33186.

CVE-2026-33186

gRPC-Go versions prior to 1.79.3 have an authorization bypass via improper input validation of the HTTP/2 :path pseudo-header. A missing leading slash allows requests to bypass per-RPC authorization policies.

Field Value
CVE CVE-2026-33186
Advisory GHSA-p77j-4mvh-x3m3
Severity Critical
Previous version v1.78.0
Fixed version v1.79.3

Changes

  • go.mod / go.sum: bump google.golang.org/grpc v1.78.0 -> v1.79.3 and transitive deps

Verification

  • go build ./... passes
  • No API or behavioral changes; dependency-only bump

Relates to: ENT-62

Generated by Coder Agents

@Shelnutt2
fix(deps): upgrade google.golang.org/grpc to v1.79.3 (CVE-2026-33186)
e93bbb7 
gRPC-Go versions prior to 1.79.3 have an authorization bypass via
improper input validation of the HTTP/2 :path pseudo-header. A missing
leading slash allows requests to bypass per-RPC authorization policies.

Bumps google.golang.org/grpc from v1.78.0 to v1.79.3 on release/2.29.
@Shelnutt2 Shelnutt2 added cherry-pick/v2.29 Needs to be cherry-picked to the 2.29 release branch dependencies Pull requests that update a dependency file labels May 13, 2026
@Shelnutt2 Shelnutt2 changed the title fix(deps): upgrade google.golang.org/grpc to v1.79.3 (CVE-2026-33186) fix: upgrade google.golang.org/grpc to v1.79.3 (CVE-2026-33186) May 13, 2026
@Shelnutt2 Shelnutt2 merged commit bc9ee3b into release/2.29 May 13, 2026
37 of 39 checks passed
@Shelnutt2 Shelnutt2 deleted the sshelnutt/ent-62-grpc-upgrade-v229 branch May 13, 2026 12:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@f0ssel f0ssel f0ssel approved these changes

@jdomeracki-coder jdomeracki-coder Awaiting requested review from jdomeracki-coder

Assignees

@Shelnutt2 Shelnutt2

Labels

cherry-pick/v2.29 Needs to be cherry-picked to the 2.29 release branch dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Shelnutt2 @f0ssel