You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Requesting a patch release on the v1.9.x line that backports the google.golang.org/grpc bump merged in #4686, which addresses CVE-2026-33186 (CVSS 9.1 Critical).
Context
The current latest stable release v1.9.0 (2026-03-20) ships google.golang.org/grpc v1.72.1, which is affected by CVE-2026-33186. The fix landed on master on 2026-04-14 (#4686, "Fixes #4667") bumping grpc to v1.80.0, but master isn't a viable consumption target for users pulling published binaries or container images.
The closed tracker #4667 acknowledged the v1.9.0 security report, and #4686 fixed it on master, but no patched release on the v1.9.x line has been cut. The v1.10 milestone is open with no due date.
Communicate an ETA for v1.10 so downstream consumers can plan.
Downstream container scanners (e.g., GCP Vulnerability Assessment) flag this as Critical and require either a fix or a documented mitigation, which is awkward when the fix is merged-but-unreleased.
Summary
Requesting a patch release on the v1.9.x line that backports the
google.golang.org/grpcbump merged in #4686, which addresses CVE-2026-33186 (CVSS 9.1 Critical).Context
The current latest stable release v1.9.0 (2026-03-20) ships
google.golang.org/grpc v1.72.1, which is affected by CVE-2026-33186. The fix landed onmasteron 2026-04-14 (#4686, "Fixes #4667") bumpinggrpcto v1.80.0, butmasterisn't a viable consumption target for users pulling published binaries or container images.The closed tracker #4667 acknowledged the v1.9.0 security report, and #4686 fixed it on master, but no patched release on the v1.9.x line has been cut. The v1.10 milestone is open with no due date.
Ask
Either:
Downstream container scanners (e.g., GCP Vulnerability Assessment) flag this as Critical and require either a fix or a documented mitigation, which is awkward when the fix is merged-but-unreleased.
Thanks for the work on this project.