Skip to content

fix: upgrade google.golang.org/grpc to v1.79.3 (auth bypass CVE)#39

Closed
TejaswiniV1 wants to merge 1 commit into
mainfrom
fix/grpc-auth-bypass-vuln
Closed

fix: upgrade google.golang.org/grpc to v1.79.3 (auth bypass CVE)#39
TejaswiniV1 wants to merge 1 commit into
mainfrom
fix/grpc-auth-bypass-vuln

Conversation

@TejaswiniV1
Copy link
Copy Markdown

@TejaswiniV1 TejaswiniV1 commented Apr 17, 2026
edited by atlassian Bot
Loading

Description

What does this PR do ?
This PR addresses a critical authorization bypass vulnerability in gRPC‑Go (CVE‑2026‑33186).
Older versions of gRPC‑Go allowed malformed HTTP/2 :path values without a leading slash, which could bypass path‑based authorization rules under certain policy configurations.

Fix :
1.Upgraded google.golang.org/grpc from v1.56.3 to v1.79.3
2.This version rejects malformed :path headers before routing or authorization logic runs, fully mitigating the vulnerability upstream
3.No application‑level logic changes were required

Key Changes :
1.Dependency upgrade: google.golang.org/grpc v1.79.3
2.Related transitive dependency updates via go mod tidy
3.No functional or behavioral changes to plugin logic

Verification

  • go build ./... - completed successfully
  • go test ./... - completed successfully (no test files present)

Ticket : SECVULN-40751

@TejaswiniV1 TejaswiniV1 requested a review from a team as a code owner April 17, 2026 07:04
@hashicorp-cla-app
Copy link
Copy Markdown

hashicorp-cla-app Bot commented Apr 17, 2026
edited
Loading

CLA assistant check
All committers have signed the CLA.

@hashicorp-cla-app
Copy link
Copy Markdown

hashicorp-cla-app Bot commented Apr 17, 2026

CLA assistant check

Thank you for your submission! We require that all contributors sign our Contributor License Agreement ("CLA") before we can accept the contribution. Read and sign the agreement

Learn more about why HashiCorp requires a CLA and what the CLA includes

Have you signed the CLA already but the status is still pending? Recheck it.

@stuti-sr stuti-sr requested a review from Copilot April 17, 2026 07:45
Copilot AI reviewed Apr 17, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Upgrades the project’s gRPC-Go dependency to a patched version to mitigate a reported authorization bypass (CVE‑2026‑33186), along with the resulting module metadata updates.

Changes:

  • Bumps google.golang.org/grpc to v1.79.3 (and updates related google.golang.org/protobuf).
  • Updates transitive dependencies as a result of go mod tidy.
  • Adjusts the go directive in go.mod to 1.24.0.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File Description
go.mod Updates gRPC-Go (and other indirect deps) to the intended fixed versions.
go.sum Refreshes dependency checksums to match the upgraded direct/transitive module set.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@TejaswiniV1 TejaswiniV1 deleted the fix/grpc-auth-bypass-vuln branch April 17, 2026 08:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@TejaswiniV1