Skip to content

fix: upgrade grpc to v1.79.3 to fix CVE auth bypass (VAULT-44205)#41

Closed
TejaswiniV1 wants to merge 1 commit into
mainfrom
fix/VAULT-44205-grpc-auth-bypass
Closed

fix: upgrade grpc to v1.79.3 to fix CVE auth bypass (VAULT-44205)#41
TejaswiniV1 wants to merge 1 commit into
mainfrom
fix/VAULT-44205-grpc-auth-bypass

Conversation

@TejaswiniV1
Copy link
Copy Markdown

@TejaswiniV1 TejaswiniV1 commented Apr 20, 2026
edited by atlassian Bot
Loading

Description

What does this PR do ?
This PR addresses a critical authorization bypass vulnerability in gRPC‑Go (CVE‑2026‑33186).
Older versions of gRPC‑Go allowed malformed HTTP/2 :path values without a leading slash, which could bypass path‑based authorization rules under certain policy configurations.

Fix :
1.Upgraded google.golang.org/grpc from v1.56.3 to v1.79.3
2.This version rejects malformed :path headers before routing or authorization logic runs, fully mitigating the vulnerability upstream
3.No application‑level logic changes were required

Key Changes :
1.Dependency upgrade: google.golang.org/grpc v1.79.3
2.Related transitive dependency updates via go mod tidy
3.No functional or behavioral changes to plugin logic

Verification

go build ./... - completed successfully
go test ./... - completed successfully (no test files present)

Ticket : VAULT-44205

@TejaswiniV1 TejaswiniV1 requested a review from a team as a code owner April 20, 2026 14:48
@TejaswiniV1 TejaswiniV1 deleted the fix/VAULT-44205-grpc-auth-bypass branch April 20, 2026 15:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@TejaswiniV1