CRITICAL CVE-2026-33186 (google.golang.org/grpc)

[dalibor-matura]

Problem

The CVE-2026-33186 (https://nvd.nist.gov/vuln/detail/CVE-2026-33186), marked as CRITICAL, reports that gRPC-Go (google.golang.org/grpc) has an authorization bypass via missing leading slash in :path.

FrankenPHP uses the gRPC-Go (google.golang.org/grpc) as indirect dependancy.

Running security scanner like Trivy or ECR on a container image using dunglas/frankenphp:1.12.1-php8.4-trixie as the base images reports the CRITICAL CVE-2026-33186 on FrankenPHP binary.

Recommendation / Fix

It is recommended to update gRPC-Go (google.golang.org/grpc) to 1.79.3 version.

FrankenPHP is currently using version 1.79.2.

Comments on Impact

I'm currently investigating what impact has the CVE-2026-33186 on FrankenPHP library.

Can you please comment on what is the impact and what if any mitigation has to be taken before the gRPC-Go (google.golang.org/grpc) dependency is update to 1.79.3 version.

[dalibor-matura]

Running go mod why google.golang.org/grpc on caddy module to get the shortest path in the import graph from the caddy module to the google.golang.org/grpc:

go mod why google.golang.org/grpc
# google.golang.org/grpc
github.com/dunglas/frankenphp/caddy
github.com/caddyserver/caddy/v2/caddyconfig/httpcaddyfile
github.com/caddyserver/caddy/v2/modules/caddypki
github.com/smallstep/certificates/authority
google.golang.org/grpc

Meaning that the Caddy server has a dependency on Smallstep Labs tool for automated certificate management (github.com/smallstep/certificates/authority).

GitHub link to the Go module authority https://github.com/smallstep/certificates/tree/master/authority.

[Falki141]

The new dependency with the fix was merged into main:0818f8f

we only need a new release.