google.golang.org/grpc v1.77.0 with critical CVE GHSA-p77j-4mvh-x3m3

## Summary

  The Atlas Docker images (including `latest` tag as of 2026-03-26, which reports `v1.1.7-8165740-canary`) bundle `google.golang.org/grpc` v1.77.0, which is affected by **GHSA-p77j-4mvh-x3m3** (Critical, CVSS 9.1) — gRPC-Go authorization bypass via
  missing leading slash in `:path`.

  The fix is available in `google.golang.org/grpc` v1.79.3.

## Reproduction

  ```bash
  $ grype arigaio/atlas:latest --only-fixed
  NAME                    INSTALLED  FIXED IN  TYPE       VULNERABILITY        SEVERITY
  google.golang.org/grpc  v1.77.0    1.79.3    go-module  GHSA-p77j-4mvh-x3m3  Critical

  Request

  Please bump google.golang.org/grpc to v1.79.3 or later and publish updated images.

  References

  - https://github.com/advisories/GHSA-p77j-4mvh-x3m3
  - https://github.com/grpc/grpc-go/releases/tag/v1.79.3

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

google.golang.org/grpc v1.77.0 with critical CVE GHSA-p77j-4mvh-x3m3 #3705

Summary

Reproduction

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

google.golang.org/grpc v1.77.0 with critical CVE GHSA-p77j-4mvh-x3m3 #3705

Description

Summary

Reproduction

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions