fix(cve): cve-2026-33816 - pgx memory-safety [rhoai-3.4-ea.1]

[vmrh21]

CVE Details

Field	Value
CVE ID	CVE-2026-33816
Severity	High
Component	github.com/jackc/pgx/v5
Affected Version	v5.7.6
Fixed Version	v5.9.2
Target Branch	rhoai-3.4-ea.1

Summary

• Update github.com/jackc/pgx/v5 from v5.7.6 to v5.9.2 to resolve memory-safety vulnerability in the pgx database driver
• CVE-2026-33816: memory-safety vulnerability in github.com/jackc/pgx

Changes Made

• Updated maas-api/go.mod to require github.com/jackc/pgx/v5 v5.9.2
• Ran go mod tidy to update maas-api/go.sum with new dependency checksums

Test Results

✅ All tests passed

ok   github.com/opendatahub-io/models-as-a-service/maas-api/internal/api_keys
ok   github.com/opendatahub-io/models-as-a-service/maas-api/internal/handlers
ok   github.com/opendatahub-io/models-as-a-service/maas-api/internal/models
ok   github.com/opendatahub-io/models-as-a-service/maas-api/internal/tier
ok   github.com/opendatahub-io/models-as-a-service/maas-api/internal/token

Command: cd maas-api && go test ./...

Breaking Changes

None expected. This is a patch-level dependency update that addresses a security vulnerability without introducing API changes.

Risk Assessment

Low - Patch upgrade of a database driver dependency. All existing tests pass. No API changes expected between v5.7.6 and v5.9.2.

Jira Reference

RHOAIENG-57063

Verification Steps

• CI pipeline passes
• Confirm github.com/jackc/pgx/v5 v5.9.2 in go.mod
• Vulnerability scan no longer reports CVE-2026-33816
• Application starts and connects to database successfully