Skip to content

fix(controlplane): upgrade Atlas image to fix critical gRPC CVE#2993

Merged
migmartri merged 1 commit into
chainloop-dev:mainfrom
migmartri:miguel/pfm-5238-atlas-grpc-cve-fix
Apr 7, 2026
Merged

fix(controlplane): upgrade Atlas image to fix critical gRPC CVE#2993
migmartri merged 1 commit into
chainloop-dev:mainfrom
migmartri:miguel/pfm-5238-atlas-grpc-cve-fix

Conversation

@migmartri

Copy link
Copy Markdown
Member

Summary

  • Upgrade Atlas from v1.1.7-0f00ade-canary to v1.1.7-2e53571-canary which ships google.golang.org/grpc v1.79.3+
  • Fixes GHSA-p77j-4mvh-x3m3 (Critical, CVSS 9.1) — gRPC-Go authorization bypass via missing leading slash in :path header
  • Resolves no-vulnerabilities-high policy failure for the control-plane-migrations image

Closes #2941

Upgrade Atlas from v1.1.7-0f00ade-canary to v1.1.7-2e53571-canary
which ships google.golang.org/grpc v1.79.3+, fixing GHSA-p77j-4mvh-x3m3
(Critical, CVSS 9.1) — gRPC-Go authorization bypass via missing leading
slash in :path header.

Closes chainloop-dev#2941

Signed-off-by: Miguel Martinez Trivino <miguel@chainloop.dev>

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 1 file

@migmartri migmartri requested a review from a team April 7, 2026 15:32
@migmartri migmartri merged commit 335fe2f into chainloop-dev:main Apr 7, 2026
15 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Atlas image ships google.golang.org/grpc v1.77.0 with critical CVE GHSA-p77j-4mvh-x3m3

2 participants