fix(cve): CVE-2026-33186 - gRPC-Go authorization bypass (release-v0.6.0)

[divyansh42]

CVE Details

Field	Value
CVE ID	CVE-2026-33186
GHSA	GHSA-p77j-4mvh-x3m3
Go Vuln ID	GO-2026-4762
Severity	High
Package	google.golang.org/grpc
Affected	< v1.79.3
Fixed in	v1.79.3

Note on Jira tickets: SRVKP-11722 and SRVKP-11723 track CVE-2026-40938. CVE-2026-40938 is not registered in the Go vulnerability database and was not detected by govulncheck. CVE-2026-33186 (gRPC-Go authorization bypass) was confirmed on this branch (grpc v1.71.1) and this PR addresses it. tektoncd/pipeline is being addressed separately in PR #982.

Description

Authorization bypass in gRPC-Go via missing leading slash in :path. An attacker can bypass authorization checks on gRPC servers.

Fix Summary

• Updated google.golang.org/grpc from v1.71.1 → v1.79.3
• Go version bumped from 1.23.0 → 1.24.0 (grpc v1.79.3 minimum Go requirement)
• Updated toolchain go1.23.8 → toolchain go1.24.0
• Transitive deps updated: x/net, x/oauth2, x/sync, x/sys, x/term, x/text, x/tools
• Ran go mod tidy && go mod verify && go mod vendor — all passed ✅

Test Results

Status: ✅ PASSED (5 packages)

ok  github.com/openshift-pipelines/manual-approval-gate/pkg/cli/cmd/approve    0.024s
ok  github.com/openshift-pipelines/manual-approval-gate/pkg/cli/cmd/describe   0.026s
ok  github.com/openshift-pipelines/manual-approval-gate/pkg/cli/cmd/list       0.028s
ok  github.com/openshift-pipelines/manual-approval-gate/pkg/cli/cmd/reject     0.029s
ok  github.com/openshift-pipelines/manual-approval-gate/pkg/reconciler/approvaltask  0.105s

Breaking Changes

Go directive bumped from 1.23.0 → 1.24.0. Build and test toolchains should be updated accordingly.

Jira References

SRVKP-11722, SRVKP-11723

Verification Steps

• Review go.mod: go 1.24.0 and google.golang.org/grpc v1.79.3
• CI/CD passes with Go 1.24 toolchain
• No regressions in webhook/controller functionality
• tektoncd/pipeline CVE addressed by separate PR fix(cve): CVE-2026-40161 - bump github.com/tektoncd/pipeline v1.0.0 → v1.0.2 #982

Risk Assessment

Medium — Security-critical gRPC upgrade. The Go 1.23 → 1.24 bump is backwards-compatible but CI toolchains must be updated.

---

🤖 Generated with Claude Code

[infernus01]

/lgtm

[openshift-ci]

@infernus01: changing LGTM is restricted to collaborators

Details

In response to this:

/lgtm

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: divyansh42, infernus01
Once this PR has been reviewed and has the lgtm label, please assign puneetpunamiya for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment