fix: patch CVE-2026-39892 and CVE-2026-33186 across SDK, API and MCP images

[HugoPBrito]

Context

AWS Inspector flagged the latest Prowler container images for two CVEs in bundled dependencies:

• CVE-2026-39892 (medium, CVSS 6.9) — out-of-bounds read in pyca/cryptography >=45.0.0,<46.0.7 when a non-contiguous buffer is passed to APIs like Hash.update(). Fixed upstream in cryptography==46.0.7 and clean again in 47.0.0.
• CVE-2026-33186 (critical, CVSS 9.1) — authorization bypass in gRPC-Go <1.79.3 via missing leading slash in HTTP/2 :path. The vulnerable Go binary lands in our images through the bundled Trivy CLI (both Dockerfile and api/Dockerfile ship 0.69.2). Upstream Trivy includes the patched grpc-go from v0.70.0.

This PR consolidates all image-level fixes for both CVEs across SDK, API and MCP. It supersedes Dependabot #10623 (SDK cryptography), #10622 (MCP cryptography), #10769 (API cryptography), and the now-closed stacked follow-up #10979.

Description

• pyproject.toml (SDK): cryptography==46.0.6 → 46.0.7
• poetry.lock (SDK): regenerated with updated cryptography-46.0.7 wheel hashes
• Dockerfile (SDK image): ARG TRIVY_VERSION=0.69.2 → 0.70.0
• api/Dockerfile (API image): ARG TRIVY_VERSION=0.69.2 → 0.70.0
• api/pyproject.toml: temporarily pins the prowler git ref to this branch's SHA so api/poetry.lock can resolve cryptography 46.0.7 atomically (revert to @master post-merge, or let the next Dependabot run reset it)
• api/poetry.lock: regenerated; cryptography 46.0.6 → 46.0.7 transitively
• mcp_server/uv.lock: cryptography 46.0.1 → 47.0.0 (transitive, unconstrained — uv resolved to latest patch-clean version)
• Changelog entries (### 🔐 Security):
  • prowler/CHANGELOG.md → 5.26.0 UNRELEASED
  • api/CHANGELOG.md → 1.27.0 UNRELEASED
  • mcp_server/CHANGELOG.md → new 0.7.0 UNRELEASED block

No application code changes; all bumps are drop-in patch upgrades from the same minor lines or transitive resolutions and contain no breaking changes per upstream changelogs.

Coverage matrix

Image	CVE-2026-39892 (cryptography)	CVE-2026-33186 (Trivy/grpc-go)
SDK (./Dockerfile)	✅ 46.0.7	✅ Trivy 0.70.0
API (api/Dockerfile)	✅ 46.0.7 (transitive)	✅ Trivy 0.70.0
MCP (mcp_server/Dockerfile)	✅ 47.0.0	N/A — image does not bundle Trivy
UI (ui/Dockerfile)	N/A — no Python	N/A — no Trivy

Both CVEs are closed across every affected image with this single merge.

Note on the temporary prowler git ref

api/pyproject.toml currently pins prowler @ git+https://github.com/prowler-cloud/prowler.git@<this-branch-SHA> instead of @master. This is intentional and required to atomically resolve cryptography 46.0.7 in api/poetry.lock within this PR (master still has cryptography==46.0.6). After merge:

• The pinned SHA remains reachable via the merge commit's history, so the lock keeps resolving.
• Either revert the ref to @master in a tiny follow-up, or let the next scheduled Dependabot run rewrite it naturally. Both paths are zero-risk.

Steps to review

1. git diff master -- pyproject.toml poetry.lock Dockerfile api/Dockerfile api/pyproject.toml api/poetry.lock mcp_server/uv.lock prowler/CHANGELOG.md api/CHANGELOG.md mcp_server/CHANGELOG.md
2. Confirm new versions in lockfiles:
   • SDK: grep -A1 '^name = "cryptography"' poetry.lock → 46.0.7
   • API: grep -A1 '^name = "cryptography"' api/poetry.lock → 46.0.7
   • MCP: grep -A1 '^name = "cryptography"' mcp_server/uv.lock → 47.0.0
3. Build images and verify bundled Trivy:
   • SDK: docker build -t prowler-sdk-cve . && docker run --rm prowler-sdk-cve trivy --version → Version: 0.70.0
   • API: docker build -f api/Dockerfile -t prowler-api-cve api && docker run --rm prowler-api-cve trivy --version → Version: 0.70.0
4. Verify cryptography in each image:
   • SDK: docker run --rm prowler-sdk-cve python -c "import cryptography; print(cryptography.__version__)" → 46.0.7
   • API: docker run --rm prowler-api-cve python -c "import cryptography; print(cryptography.__version__)" → 46.0.7
   • MCP: docker run --rm prowler-mcp-cve python -c "import cryptography; print(cryptography.__version__)" → 47.0.0
5. Optional: rerun AWS Inspector / trivy image against the rebuilt images to confirm both CVEs disappear.

Checklist

Community Checklist

• This feature/issue is listed in here or roadmap.prowler.com
• Is it assigned to me

• Are there new checks included in this PR? No
• Review if the code is being covered by tests.
• Review if code is being documented following https://github.com/google/styleguide/blob/gh-pages/pyguide.md#38-comments-and-docstrings
• Review if backport is needed.
• Review if is needed to change the Readme.md
• Ensure new entries are added to CHANGELOG.md, if applicable.

SDK/CLI

• Are there new checks included in this PR? No

API (if applicable)

• Endpoint response output (if applicable) — N/A, image-only change
• EXPLAIN ANALYZE output for new/modified queries or indexes (if applicable) — N/A
• Performance test results (if applicable) — N/A
• Verify if API specs need to be regenerated. — Not needed, no API surface change
• Check if version updates are required. — N/A
• Ensure new entries are added to api/CHANGELOG.md

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[github-actions]

✅ Conflict Markers Resolved

All conflict markers have been successfully resolved in this pull request.

[github-actions]

✅ All necessary CHANGELOG.md files have been updated.

[github-actions]

🔒 Container Security Scan

Image: prowler:29b170a
Last scan: 2026-05-05 07:17:08 UTC

📊 Vulnerability Summary

Severity	Count
🔴 Critical	3
Total	3

3 package(s) affected

⚠️ Action Required

Critical severity vulnerabilities detected. These should be addressed before merging:

• Review the detailed scan results
• Update affected packages to patched versions
• Consider using a different base image if updates are unavailable

---

📋 Resources:

• Download full report (see artifacts)
• View in Security tab
• Scanned with Trivy

[github-actions]

🔒 Container Security Scan

Image: prowler-api:29b170a
Last scan: 2026-05-05 07:17:57 UTC

📊 Vulnerability Summary

Severity	Count
🔴 Critical	4
Total	4

3 package(s) affected

⚠️ Action Required

Critical severity vulnerabilities detected. These should be addressed before merging:

• Review the detailed scan results
• Update affected packages to patched versions
• Consider using a different base image if updates are unavailable

---

📋 Resources:

• Download full report (see artifacts)
• View in Security tab
• Scanned with Trivy

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 87.98%. Comparing base (7c6d658) to head (3e50d40).
⚠️ Report is 1 commits behind head on master.

Additional details and impacted files

@@             Coverage Diff             @@
##           master   #10978       +/-   ##
===========================================
+ Coverage   59.14%   87.98%   +28.83%     
===========================================
  Files           8     1962     +1954     
  Lines         399    90901    +90502     
===========================================
+ Hits          236    79980    +79744     
- Misses        163    10921    +10758     

Flag	Coverage Δ
api	93.65% <ø> (?)
prowler-py3.10-aws	90.02% <ø> (?)
prowler-py3.10-azure	89.29% <ø> (?)
prowler-py3.10-config	84.60% <ø> (?)
prowler-py3.10-gcp	89.66% <ø> (?)
prowler-py3.10-github	88.96% <ø> (?)
prowler-py3.10-googleworkspace	87.13% <ø> (?)
prowler-py3.10-iac	88.59% <ø> (?)
prowler-py3.10-kubernetes	89.31% <ø> (+30.17%)	⬆️
prowler-py3.10-lib	84.61% <ø> (?)
prowler-py3.10-m365	88.84% <ø> (?)
prowler-py3.10-mongodbatlas	88.50% <ø> (?)
prowler-py3.10-nhn	88.91% <ø> (?)
prowler-py3.10-openstack	86.97% <ø> (?)
prowler-py3.10-oraclecloud	86.71% <ø> (?)
prowler-py3.10-vercel	86.97% <ø> (?)
prowler-py3.11-aws	90.01% <ø> (?)
prowler-py3.11-azure	89.28% <ø> (?)
prowler-py3.11-config	84.53% <ø> (?)
prowler-py3.11-gcp	89.66% <ø> (?)
prowler-py3.11-github	88.95% <ø> (?)
prowler-py3.11-googleworkspace	87.06% <ø> (?)
prowler-py3.11-iac	88.51% <ø> (?)
prowler-py3.11-kubernetes	89.31% <ø> (+30.16%)	⬆️
prowler-py3.11-lib	84.54% <ø> (?)
prowler-py3.11-m365	88.75% <ø> (?)
prowler-py3.11-mongodbatlas	88.42% <ø> (?)
prowler-py3.11-nhn	88.90% <ø> (?)
prowler-py3.11-openstack	86.90% <ø> (?)
prowler-py3.11-oraclecloud	86.63% <ø> (?)
prowler-py3.11-vercel	86.90% <ø> (?)
prowler-py3.12-aws	90.01% <ø> (?)
prowler-py3.12-azure	89.28% <ø> (?)
prowler-py3.12-config	84.59% <ø> (?)
prowler-py3.12-gcp	89.66% <ø> (?)
prowler-py3.12-github	88.96% <ø> (?)
prowler-py3.12-googleworkspace	87.13% <ø> (?)
prowler-py3.12-iac	88.59% <ø> (?)
prowler-py3.12-kubernetes	89.31% <ø> (+30.16%)	⬆️
prowler-py3.12-lib	84.60% <ø> (?)
prowler-py3.12-m365	88.83% <ø> (?)
prowler-py3.12-mongodbatlas	88.50% <ø> (?)
prowler-py3.12-nhn	88.91% <ø> (?)
prowler-py3.12-openstack	86.97% <ø> (?)
prowler-py3.12-oraclecloud	86.71% <ø> (?)
prowler-py3.12-vercel	86.97% <ø> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
prowler	84.60% <ø> (+25.46%)	⬆️
api	93.65% <ø> (∅)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

🔒 Container Security Scan

Image: prowler-mcp:29b170a
Last scan: 2026-05-05 07:09:17 UTC

📊 Vulnerability Summary

Severity	Count
🔴 Critical	3
Total	3

3 package(s) affected

⚠️ Action Required

Critical severity vulnerabilities detected. These should be addressed before merging:

• Review the detailed scan results
• Update affected packages to patched versions
• Consider using a different base image if updates are unavailable

---

📋 Resources:

• Download full report (see artifacts)
• View in Security tab
• Scanned with Trivy