CVE-2028-33186: google.golang.org/grpc v1.79.1 authorization bypass

## Summary

Cloud SQL Proxy v2.21.2 bundles `google.golang.org/grpc` v1.79.1, which is affected by **CVE-2028-33186** (Critical): an authorization bypass via missing leading slash in `:path`. The fix is available in grpc v1.79.3.

## Impact

gRPC-Go has an authorization bypass via missing leading slash in `:path`. The worst case impact is "Attacker can abuse improper authorization."

## Requested Fix

Bump `google.golang.org/grpc` from v1.79.1 to v1.79.3 (or later) in the next release.

## References

- [CVE-2028-33186](https://nvd.nist.gov/vuln/detail/CVE-2028-33186)
- Detected via Aikido security scanner on the `gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.21.2` container image

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CVE-2028-33186: google.golang.org/grpc v1.79.1 authorization bypass #2577

Summary

Impact

Requested Fix

References

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

CVE-2028-33186: google.golang.org/grpc v1.79.1 authorization bypass #2577

Description

Summary

Impact

Requested Fix

References

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions