Skip to content

fix: add CVE-2026-27137 and CVE-2026-33810 (Go stdlib in Dapr) to base allowlist#1388

Open
revantgupta wants to merge 2 commits intomainfrom
fix/add-go-stdlib-cves-to-base-allowlist
Open

fix: add CVE-2026-27137 and CVE-2026-33810 (Go stdlib in Dapr) to base allowlist#1388
revantgupta wants to merge 2 commits intomainfrom
fix/add-go-stdlib-cves-to-base-allowlist

Conversation

@revantgupta
Copy link
Copy Markdown

@revantgupta revantgupta commented Apr 16, 2026

Summary

Two Go stdlib CVEs surfaced during the atlan-mongodbatlas-app security gate run after upgrading to SDK 2.8.5. They are not in the current base allowlist and are blocking the security gate.

CVEs

CVE Package Severity Source
CVE-2026-27137 stdlib (Go) HIGH Dapr runtime (daprd-1.17) in base image
CVE-2026-33810 stdlib (Go) HIGH Dapr runtime (daprd-1.17) in base image

Why these can't be fixed in the app repo

The Go stdlib is compiled into the daprd-1.17 binary installed via apk add dapr-daprd-1.17 in the application-sdk Dockerfile. There is no way to patch Go stdlib from an app repo — this requires either:

  • Upgrading Dapr to a version compiled against a patched Go version
  • Or allowlisting until that upgrade lands

Pattern

Matches existing Go stdlib entries already in the base allowlist:

  • CVE-2026-25679 — Go stdlib (added 2026-04-15)
  • CVE-2026-32280 — Go stdlib (added 2026-04-15)
  • CVE-2026-32282 — Go stdlib (added 2026-04-15)

90-day expiry (2026-07-16) per the renewal note in the allowlist.

Reported by

atlanhq/atlan-mongodbatlas-app PR #27 — security gate blocked on these two CVEs after SDK 2.8.5 upgrade.

🤖 Generated with Claude Code

@revantgupta
fix: add CVE-2026-27137 and CVE-2026-33810 (Go stdlib) to base allowlist
7847a72 
Both CVEs are in Go stdlib compiled into the Dapr runtime (daprd-1.17)
shipped in the application-sdk-main base image. No fix available without
a Dapr upgrade. Pattern matches existing Go stdlib entries added by
mananjain99 on 2026-04-15.

Reported by atlan-mongodbatlas-app during SDK 2.8.5 security gate run.
@snykgituser
Copy link
Copy Markdown

snykgituser commented Apr 16, 2026
edited
Loading

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Licenses 0 0 0 0 0 issues
Code Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@Aryamanz29
Copy link
Copy Markdown
Member

Aryamanz29 commented Apr 22, 2026

v3 relevance check: ✅ Still relevant — Go stdlib CVE allowlist for Dapr. Please rebase on latest main and merge.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cmgrote cmgrote Awaiting requested review from cmgrote cmgrote is a code owner

@OnkarVO7 OnkarVO7 Awaiting requested review from OnkarVO7 OnkarVO7 is a code owner

@louisnow louisnow Awaiting requested review from louisnow louisnow is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@revantgupta @snykgituser @Aryamanz29 @OnkarVO7