fix(cve): cve-2026-33186 - grpc-go auth bypass

[vmrh21]

summary

update google.golang.org/grpc from v1.75.1 to v1.79.3 to resolve authorization bypass due to improper http/2 path validation.

cve details

• cve id: CVE-2026-33186
• package: google.golang.org/grpc
• severity: critical (cvss 9.1)
• impact: authorization bypass due to missing leading slash validation in http/2 :path header
• vulnerable versions: < 1.79.3
• fixed version: 1.79.3
• jira issues: RHOAIENG-55311

changes

• update google.golang.org/grpc from v1.75.1 to v1.79.3
• transitive dependency updates (otel, cel, xds, go-jose, etc.)

test results

status: ✅ all tests passed

test command: go test ./...
exit code: 0

• api_keys: ok
• handlers: ok
• models: ok
• tier: ok
• token: ok

verification

• govulncheck confirmed CVE-2026-33186 was reachable in application code (pre-fix)
• govulncheck confirmed CVE-2026-33186 is no longer detected (post-fix)

breaking changes

none expected. grpc v1.79.3 is a patch release within the v1.x line.

testing checklist

• pre-pr automated tests executed (all passed)
• govulncheck post-fix verification (cve resolved)
• verify cve is resolved in ci/cd pipeline
• test affected grpc functionality manually

risk assessment

factor	assessment
change scope	dependency version bump (indirect)
breaking changes	none (patch release)
test coverage	all existing tests pass
risk level	low

resolves: RHOAIENG-55311

---

🤖 generated by cve fixer workflow