Security: Fix CVE-2026-33186 (google.golang.org/grpc) SRVKP-11970

[jkhelil]

Summary

This PR fixes CVE-2026-33186 (GHSA-p77j-4mvh-x3m3) on the release-v0.20.x branch by upgrading google.golang.org/grpc from v1.77.0 to v1.79.3.

CVE Details

• CVE ID: CVE-2026-33186
• GHSA: GHSA-p77j-4mvh-x3m3
• Package: google.golang.org/grpc
• Severity: CRITICAL (CVSS 9.1)
• Impact: Authorization bypass via missing leading slash in :path HTTP/2 pseudo-header. Affects gRPC-Go servers using path-based authorization interceptors (grpc/authz or custom interceptors relying on info.FullMethod).
• Vulnerable versions: < v1.79.3
• Fixed version: v1.79.3
• Jira Issues: SRVKP-11970

⚠️ Important: Minor Version Bump Required

No patch release exists in the v1.77.x line that contains this fix. The fix was introduced in v1.79.3. This upgrade crosses two minor versions (v1.77.0 → v1.79.3).

Co-upgraded dependencies (pulled in by grpc v1.79.3 compatibility):

• go.opentelemetry.io/otel v1.38.0 → v1.39.0
• go.opentelemetry.io/contrib/detectors/gcp v1.38.0 → v1.39.0
• go.opentelemetry.io/otel/sdk v1.38.0 → v1.39.0
• go.opentelemetry.io/otel/metric v1.38.0 → v1.39.0
• go.opentelemetry.io/otel/trace v1.38.0 → v1.39.0
• golang.org/x/oauth2 v0.33.0 → v0.34.0
• google.golang.org/genproto/googleapis/api (patch)
• github.com/envoyproxy/protoc-gen-validate v1.2.1 → v1.3.0
• go.opentelemetry.io/contrib/detectors/gcp v1.38.0 → v1.39.0

Test Results

Status: ⚠️ Pre-existing failures (unrelated to this fix)

Tests discovered: Yes
Test command: go test ./...
Result: 2 pre-existing test failures in pkg/chains/signing/x509
Duration: ~5 minutes

Pre-existing Test Failures

--- FAIL: TestCreateSignerFulcioEnabled (0.00s)
    x509_test.go:85: new signer: reading id token: getting id token: open eyJ0eXAiOi...: no such file or directory
--- FAIL: TestCreateSignerFulcioEnabledFilesystemProvider (0.00s)
    x509_test.go:121: new signer: reading id token: getting id token: open eyJ0eXAiOi...: no such file or directory
FAIL    github.com/tektoncd/chains/pkg/chains/signing/x509

These failures are caused by missing Fulcio OIDC token files in the local test environment. They are pre-existing and unrelated to this CVE fix. All other tests pass.

All other packages: ✅ PASS

Breaking Changes

The grpc-go v1.77→v1.79 upgrade may include API changes. Key areas to review:

• gRPC interceptor API compatibility
• xDS configuration (internal restructuring in vendor)
• OpenTelemetry metric API alignment

Verification Steps

• Verify google.golang.org/grpc is at v1.79.3: grep 'google.golang.org/grpc' go.mod
• Run local tests: go test ./...
• Confirm CVE-2026-33186 is no longer reported in security scan
• Review co-upgraded dependency versions for compatibility
• Integration test gRPC authorization paths

Risk Assessment

Category	Level	Notes
Dependency bump	Medium	Minor version bump (v1.77→v1.79); no v1.77.x patch available
API compatibility	Medium	grpc internal API changes between minor versions
Auth behavior	Low	Fix strengthens auth by rejecting malformed :path headers
Test coverage	Medium	2 pre-existing Fulcio test failures (environment issue, not code)

---

🤖 Generated by CVE Fixer Workflow

Security fix: update google.golang.org/grpc from v1.77.0 to v1.79.3 to address CVE-2026-33186 (authorization bypass via malformed gRPC :path)

[linux-foundation-easycla]

• ❌ The email address for the commit (dd1dcb2) is not linked to the GitHub account, preventing the EasyCLA check. Consult this Help Article and GitHub Help to resolve. (To view the commit's email address, add .patch at the end of this PR page's URL.) For further assistance with EasyCLA, please visit our EasyCLA portal and chat with our support bot.

[tekton-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
To complete the pull request process, please assign chuangw6 after the PR has been reviewed.
You can assign the PR to them by writing /assign @chuangw6 in a comment when ready.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[jkhelil]

Closing in favour of #1660 which has the same fix committed under the correct author email (jkhelil@redhat.com) to pass EasyCLA.