Skip to content

Security: CVE-2026-33186 (Critical) and CVE-2026-24051 (High) in Envoy Gateway v1.6.6 dependencies #8834

Description

@henriqcabral

Description:

Summary

The Envoy Gateway v1.6.6 container image (sha256:864d21b8d43c1558ac163a828a6590460d9c9435ec1bf4bb4c8432e58a3fca5b) ships two vulnerable Go dependencies detected by Twistlock (Prisma Cloud):

CVE Package Current Version Fixed Version Severity CVSS 3.1
CVE-2026-33186 [google.golang.org/grpc](http://google.golang.org/grpc) v1.76.0 v1.79.3 Critical 9.1
CVE-2026-24051 [go.opentelemetry.io/otel/sdk](http://go.opentelemetry.io/otel/sdk) v1.38.0 v1.40.0 High 7.0

CVE-2026-33186 — gRPC-Go Authorization Bypass (Critical)

CWE-285 · Improper Authorization

gRPC-Go versions prior to v1.79.3 are vulnerable to an authorization bypass caused by improper input validation of the HTTP/2 :path pseudo-header. The server accepts requests where :path omits the mandatory leading slash (e.g. Service/Method instead of /Service/Method). While these requests are routed to the correct handler, path-based authorization interceptors — including the official grpc/authz RBAC implementation — evaluate the raw, non-canonical path and fail to match "deny" rules, effectively bypassing the policy when a fallback "allow" rule is present.

An attacker capable of sending raw HTTP/2 frames with malformed :path headers can exploit this to bypass gRPC authorization policies.

CVE-2026-24051 — OpenTelemetry Go SDK Path Hijacking (High)

CWE-426 · Untrusted Search Path

OpenTelemetry Go SDK versions v1.20.0 through v1.39.0 are vulnerable to path hijacking on macOS/Darwin systems. The resource detection code in sdk/resource/host_id.go executes the ioreg system command via an untrusted search path. An attacker with the ability to modify the local PATH environment variable can achieve arbitrary code execution (ACE) in the context of the application.


Environment

  • Envoy Gateway version: v1.6.6
  • Image digest: sha256:864d21b8d43c1558ac163a828a6590460d9c9435ec1bf4bb4c8432e58a3fca5b
  • Scanner: Twistlock (Prisma Cloud Compute)

Expected Resolution

Bump the affected dependencies in the next patch release of the v1.6.x line (ref: #8735) to include the fixed versions listed above.

Metadata

Metadata

Assignees

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions