Describe the bug
Found CVE
Steps to reproduce
I did a trivy scan just to be sure trivy image fluxcd/flux-cli:v2.8.6
| Library |
Vulnerability |
Severity |
Status |
Installed Version |
Fixed Version |
Title |
| google.golang.org/grpc |
CVE-2026-33186 |
CRITICAL |
fixed |
v1.78.0 |
1.79.3 |
google.golang.org/grpc/authz: gRPC-Go: Authorization bypass due to improper HTTP/2 path validation |
Expected behavior
Update the gRPC-Go version to resolve the CVE, if the issue is applicable.
Screenshots and recordings
OS / Distro
Ubuntu 20.04
Flux version
v2.8.3 to v2.8.6
Flux check
$ flux check
► checking prerequisites
✗ flux 2.8.3 <2.8.6 (new CLI version is available, please upgrade)
✔ Kubernetes 1.35.1 >=1.33.0-0
► checking version in cluster
✔ distribution: flux-v2.8.3
✔ bootstrapped: true
► checking controllers
✔ helm-controller: deployment ready
► ghcr.io/fluxcd/image-automation-controller:v0.36.0
✔ image-reflector-controller: deployment ready
► ghcr.io/fluxcd/image-reflector-controller:v0.30.0
✔ kustomize-controller: deployment ready
► checking crds
✔ alerts.notification.toolkit.fluxcd.io/v1beta3
✔ buckets.source.toolkit.fluxcd.io/v1
✔ externalartifacts.source.toolkit.fluxcd.io/v1
✔ gitrepositories.source.toolkit.fluxcd.io/v1
✔ helmcharts.source.toolkit.fluxcd.io/v1
✔ helmreleases.helm.toolkit.fluxcd.io/v2
✔ helmrepositories.source.toolkit.fluxcd.io/v1
✔ imagepolicies.image.toolkit.fluxcd.io/v1
✔ imagerepositories.image.toolkit.fluxcd.io/v1
✔ imageupdateautomations.image.toolkit.fluxcd.io/v1
✔ kustomizations.kustomize.toolkit.fluxcd.io/v1
✔ ocirepositories.source.toolkit.fluxcd.io/v1
✔ providers.notification.toolkit.fluxcd.io/v1beta3
✔ receivers.notification.toolkit.fluxcd.io/v1
✔ all checks passed
Git provider
No response
Container Registry provider
No response
Additional context
This is my first time submitting an issue here, not sure if this is the right place for CVE issues.
Code of Conduct
Describe the bug
Found CVE
Steps to reproduce
I did a trivy scan just to be sure
trivy image fluxcd/flux-cli:v2.8.6Expected behavior
Update the gRPC-Go version to resolve the CVE, if the issue is applicable.
Screenshots and recordings
OS / Distro
Ubuntu 20.04
Flux version
v2.8.3 to v2.8.6
Flux check
$ flux check
► checking prerequisites
✗ flux 2.8.3 <2.8.6 (new CLI version is available, please upgrade)
✔ Kubernetes 1.35.1 >=1.33.0-0
► checking version in cluster
✔ distribution: flux-v2.8.3
✔ bootstrapped: true
► checking controllers
✔ helm-controller: deployment ready
► ghcr.io/fluxcd/image-automation-controller:v0.36.0
✔ image-reflector-controller: deployment ready
► ghcr.io/fluxcd/image-reflector-controller:v0.30.0
✔ kustomize-controller: deployment ready
► checking crds
✔ alerts.notification.toolkit.fluxcd.io/v1beta3
✔ buckets.source.toolkit.fluxcd.io/v1
✔ externalartifacts.source.toolkit.fluxcd.io/v1
✔ gitrepositories.source.toolkit.fluxcd.io/v1
✔ helmcharts.source.toolkit.fluxcd.io/v1
✔ helmreleases.helm.toolkit.fluxcd.io/v2
✔ helmrepositories.source.toolkit.fluxcd.io/v1
✔ imagepolicies.image.toolkit.fluxcd.io/v1
✔ imagerepositories.image.toolkit.fluxcd.io/v1
✔ imageupdateautomations.image.toolkit.fluxcd.io/v1
✔ kustomizations.kustomize.toolkit.fluxcd.io/v1
✔ ocirepositories.source.toolkit.fluxcd.io/v1
✔ providers.notification.toolkit.fluxcd.io/v1beta3
✔ receivers.notification.toolkit.fluxcd.io/v1
✔ all checks passed
Git provider
No response
Container Registry provider
No response
Additional context
This is my first time submitting an issue here, not sure if this is the right place for CVE issues.
Code of Conduct