Skip to content

chore(core): cve mitigation 15-04-2026 for release 1.6.3#2218

Draft
LopatinDmitr wants to merge 1 commit intorelease-1.6from
fix-cve-for-release-1-6
Draft

chore(core): cve mitigation 15-04-2026 for release 1.6.3#2218
LopatinDmitr wants to merge 1 commit intorelease-1.6from
fix-cve-for-release-1-6

Conversation

@LopatinDmitr
Copy link
Copy Markdown
Contributor

@LopatinDmitr LopatinDmitr commented Apr 15, 2026

Description

Checklist

  • The code is covered by unit tests.
  • e2e tests passed.
  • Documentation updated according to the changes.
  • Changes were tested in the Kubernetes cluster manually.

Changelog entries

section: core
type: chore
summary: CVE mitigation for release 1.6.3

@LopatinDmitr LopatinDmitr self-assigned this Apr 15, 2026
@LopatinDmitr LopatinDmitr force-pushed the fix-cve-for-release-1-6 branch from 73ec511 to 22694b8 Compare April 15, 2026 15:56
@LopatinDmitr
chore(core): cve mitigation
858ce5c 
- **CRITICAL** `CVE-2026-33186` — google.golang.org/grpc/grpc-go: gRPC-Go: Authorization bypass due to improper HTTP/2 path validation.
- **HIGH** `CVE-2026-39883` — opentelemetry-go: BSD `kenv` command not using absolute path enables PATH hijacking.
- **HIGH** `CVE-2026-34986` — Go JOSE: Denial of Service via crafted JSON Web Encryption.
- **HIGH** `CVE-2026-34040` — Moby: Authorization bypass vulnerability.
- **HIGH** `CVE-2026-25679` — net/url: Incorrect parsing of IPv6 host literals in `net/url`.
- **HIGH** `CVE-2026-32280` — During chain building, the amount of work that is done is not properly limited.
- **HIGH** `CVE-2026-32282` — golang `internal/syscall/unix`: `Root.Chmod` can follow symlinks out of the root.
- **MEDIUM** `CVE-2026-33726` — Cilium L7 proxy may bypass Kubernetes NetworkPolicy for same-node traffic.
- **MEDIUM** `CVE-2026-33997` — Moby: Privilege validation bypass during plugin installation.
- **MEDIUM** `CVE-2026-27142` — `html/template`: URLs in meta content attribute actions are not escaped.
- **MEDIUM** `CVE-2026-32281` — Go `crypto/x509`: Denial of Service via inefficient certificate chain validation.
- **MEDIUM** `CVE-2026-32288` — Go `archive/tar` package: Denial of Service via maliciously-crafted archive.
- **MEDIUM** `CVE-2026-32289` — `html/template`: Cross-Site Scripting (XSS) via improper context and brace depth handling.
- **LOW** `CVE-2026-27139` — `os`: `FileInfo` can escape from a Root in golang `os` module.
- **UNKNOWN** `CVE-2026-32283` — If one side of the TLS connection sends multiple key update messages, connection handling may be unsafe.

Signed-off-by: Dmitry Lopatin <dmitry.lopatin@flant.com>
@LopatinDmitr LopatinDmitr force-pushed the fix-cve-for-release-1-6 branch from 22694b8 to 858ce5c Compare April 15, 2026 16:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@universal-itengineer universal-itengineer Awaiting requested review from universal-itengineer universal-itengineer will be requested when the pull request is marked ready for review universal-itengineer is a code owner

@nevermarine nevermarine Awaiting requested review from nevermarine nevermarine will be requested when the pull request is marked ready for review nevermarine is a code owner

@Isteb4k Isteb4k Awaiting requested review from Isteb4k Isteb4k will be requested when the pull request is marked ready for review Isteb4k is a code owner

@yaroslavborbat yaroslavborbat Awaiting requested review from yaroslavborbat yaroslavborbat will be requested when the pull request is marked ready for review yaroslavborbat is a code owner

@diafour diafour Awaiting requested review from diafour diafour will be requested when the pull request is marked ready for review diafour is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@LopatinDmitr LopatinDmitr

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@LopatinDmitr