CVE-2026-33186 google.golang.org/grpc false-positive

[bmwiedemann]

Checklist

• This is a bug report, not a question. Ask questions on discuss.ipfs.tech.
• I have searched on the issue tracker for my bug.
• I am running the latest kubo version or have an issue updating.

Installation method

built from source

Version

master

Config

Description

https://bugzilla.suse.com/show_bug.cgi?id=1260233 notified me of CVE-2026-33186:

kubo: google.golang.org/grpc: authorization bypass due to improper validation of the HTTP/2 :path pseudo-header

That affects the version 1.79.2 used in kubo atm. Please update to version 1.79.3 or later.

[lidel]

Thanks for the report.

Kubo is not affected at runtime. CVE-2026-33186 is a server-side bug in google.golang.org/grpc: a crafted HTTP/2 :path can bypass authorization on a gRPC server. Kubo does not run a gRPC server. Its network surfaces are the HTTP RPC API, HTTP Gateway, and libp2p. No Kubo source file imports google.golang.org/grpc, and there is no grpc.NewServer call.

grpc is pulled in indirectly by the OpenTelemetry OTLP trace exporter (otlptracegrpc), which is a client used to send traces to a collector when OTLP tracing is enabled. The vulnerable server path is never reached.

We'll still bump google.golang.org/grpc to v1.79.3+ in boxo/p2p-forge (https://github.com/ipshipyard/p2p-forge/releases/tag/v0.8.0) at some point, so SBOM/CVE scanners stop flagging the binary. Keeping this open until its done.