Description:
Summary
The Envoy Gateway v1.6.6 container image (sha256:864d21b8d43c1558ac163a828a6590460d9c9435ec1bf4bb4c8432e58a3fca5b) ships two vulnerable Go dependencies detected by Twistlock (Prisma Cloud):
CVE-2026-33186 — gRPC-Go Authorization Bypass (Critical)
CWE-285 · Improper Authorization
gRPC-Go versions prior to v1.79.3 are vulnerable to an authorization bypass caused by improper input validation of the HTTP/2 :path pseudo-header. The server accepts requests where :path omits the mandatory leading slash (e.g. Service/Method instead of /Service/Method). While these requests are routed to the correct handler, path-based authorization interceptors — including the official grpc/authz RBAC implementation — evaluate the raw, non-canonical path and fail to match "deny" rules, effectively bypassing the policy when a fallback "allow" rule is present.
An attacker capable of sending raw HTTP/2 frames with malformed :path headers can exploit this to bypass gRPC authorization policies.
CVE-2026-24051 — OpenTelemetry Go SDK Path Hijacking (High)
CWE-426 · Untrusted Search Path
OpenTelemetry Go SDK versions v1.20.0 through v1.39.0 are vulnerable to path hijacking on macOS/Darwin systems. The resource detection code in sdk/resource/host_id.go executes the ioreg system command via an untrusted search path. An attacker with the ability to modify the local PATH environment variable can achieve arbitrary code execution (ACE) in the context of the application.
Environment
- Envoy Gateway version: v1.6.6
- Image digest:
sha256:864d21b8d43c1558ac163a828a6590460d9c9435ec1bf4bb4c8432e58a3fca5b
- Scanner: Twistlock (Prisma Cloud Compute)
Expected Resolution
Bump the affected dependencies in the next patch release of the v1.6.x line (ref: #8735) to include the fixed versions listed above.
Description:
Summary
The Envoy Gateway v1.6.6 container image (
sha256:864d21b8d43c1558ac163a828a6590460d9c9435ec1bf4bb4c8432e58a3fca5b) ships two vulnerable Go dependencies detected by Twistlock (Prisma Cloud):[google.golang.org/grpc](http://google.golang.org/grpc)[go.opentelemetry.io/otel/sdk](http://go.opentelemetry.io/otel/sdk)CVE-2026-33186 — gRPC-Go Authorization Bypass (Critical)
CWE-285 · Improper Authorization
gRPC-Go versions prior to v1.79.3 are vulnerable to an authorization bypass caused by improper input validation of the HTTP/2
:pathpseudo-header. The server accepts requests where:pathomits the mandatory leading slash (e.g.Service/Methodinstead of/Service/Method). While these requests are routed to the correct handler, path-based authorization interceptors — including the officialgrpc/authzRBAC implementation — evaluate the raw, non-canonical path and fail to match "deny" rules, effectively bypassing the policy when a fallback "allow" rule is present.An attacker capable of sending raw HTTP/2 frames with malformed
:pathheaders can exploit this to bypass gRPC authorization policies.[google.golang.org/grpc](http://google.golang.org/grpc) to v1.79.3+CVE-2026-24051 — OpenTelemetry Go SDK Path Hijacking (High)
CWE-426 · Untrusted Search Path
OpenTelemetry Go SDK versions v1.20.0 through v1.39.0 are vulnerable to path hijacking on macOS/Darwin systems. The resource detection code in
sdk/resource/host_id.goexecutes theioregsystem command via an untrusted search path. An attacker with the ability to modify the localPATHenvironment variable can achieve arbitrary code execution (ACE) in the context of the application.[go.opentelemetry.io/otel/sdk](http://go.opentelemetry.io/otel/sdk) to v1.40.0+Environment
sha256:864d21b8d43c1558ac163a828a6590460d9c9435ec1bf4bb4c8432e58a3fca5bExpected Resolution
Bump the affected dependencies in the next patch release of the v1.6.x line (ref: #8735) to include the fixed versions listed above.