The latest cluster-autoscaler container image (v1.35.0) ships with a Critical severity vulnerability in google.golang.org/grpc — Incorrect Authorization (CVE-2026-33186 / SNYK-GOLANG-GOOGLEGOLANGORGGRPC-15691172).
Fix available in: grpc v1.79.3
Please update the google.golang.org/grpc dependency to v1.79.3 or later to resolve this Critical vulnerability. The latest release (v1.35.0) does not include the fix, so users cannot mitigate by upgrading cluster-autoscaler alone.
Impact
- CVE: CVE-2026-33186
- Vulnerability type: Incorrect Authorization
- Severity: Critical
- Affected component:
google.golang.org/grpc
- The latest release is affected — there is no version of cluster-autoscaler that resolves this today.
References
The latest cluster-autoscaler container image (v1.35.0) ships with a Critical severity vulnerability in
google.golang.org/grpc— Incorrect Authorization (CVE-2026-33186 / SNYK-GOLANG-GOOGLEGOLANGORGGRPC-15691172).Fix available in: grpc v1.79.3
Please update the
google.golang.org/grpcdependency to v1.79.3 or later to resolve this Critical vulnerability. The latest release (v1.35.0) does not include the fix, so users cannot mitigate by upgrading cluster-autoscaler alone.Impact
google.golang.org/grpcReferences