A critical authorization bypass vulnerability (CVE-2026-33186, CVSS 9.1) in the gRPC-Go library allows attackers to bypass intended access controls due to improper HTTP/2 path validation. The vulnerability affects Red Hat build of MicroShift 4.16, specifically due to its inclusion of an affected grpc-go library version prior to 1.79.3. The fix is included in the updated Red Hat build of MicroShift 4.16.63 packages and images, which users are advised to apply following the provided documentation.
Red Hat Product Errata RHSA-2026:20436 - Security Advisory Issued: 2026-05-28 Updated: 2026-05-28 RHSA-2026:20436 - Security Advisory Overview Updated Packages Synopsis Important: Red Hat build of MicroShift 4.16.63 security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic Red Hat build of MicroShift release 4.16.63 is now available with updates to packages and images that include a security update. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description Red Hat build of MicroShift is Red Hat's light-weight Kubernetes orchestration solution designed for edge device deployments and is built from the edge capabilities of Red Hat OpenShift Container Platform. MicroShift is an application that is deployed on top of Red Hat Enterprise Linux devices at the edge, providing an efficient way to operate single-node clusters in these low-resource environments. This advisory contains the RPM packages for Red Hat build of MicroShift 4.16.63. Read the following advisory for the container images for this release: https://access.redhat.com/errata/RHSA-2026:20041 Security Fix(es): google.golang.org/grpc/grpc-go: google.golang.org/grpc/authz: gRPC-Go: Authorization bypass due to improper HTTP/2 path validation (CVE-2026-33186) All Red Hat build of MicroShift 4.16 users are advised to use these updated packages and images when they are available in the RPM repository. Solution For MicroShift 4.16, read the following documentation for important instructions on how to install the latest RPMs and fully apply this asynchronous errata update: https://docs.redhat.com/en/documentation/red_hat_build_of_microshift/4.16/html/red_hat_build_of_microshift_release_notes/index Affected Products Red Hat OpenShift Container Platform 4.16 for RHEL 9 x86_64 Red Hat OpenShift Container Platform for Power 4.16 for RHEL 9 ppc64le Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.16 for RHEL 9 s390x Red Hat OpenShift Container Platform for ARM 64 4.16 for RHEL 9 aarch64 Fixes BZ - 2449833 - CVE-2026-33186 google.golang.org/grpc/grpc-go: google.golang.org/grpc/authz: gRPC-Go: Authorization bypass due to improper HTTP/2 path validation CVEs CVE-2026-33186 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat OpenShift Container Platform 4.16 for RHEL 9 SRPM microshift-4.16.63-202605251227.p0.g1133ac0.assembly.4.16.63.el9.src.rpm SHA-256: 75a933b2ca45b67792a73f28bd20cd72d89e119fd4b7d2ca54900c2a3bfca818 x86_64 microshift-4.16.63-202605251227.p0.g1133ac0.assembly.4.16.63.el9.x86_64.rpm SHA-256: aa85445a0cc43214d5d962272abc6f3f8aa2a64a490e7cbd4a9fa5328392b585 microshift-greenboot-4.16.63-202605251227.p0.g1133ac0.assembly.4.16.63.el9.noarch.rpm SHA-256: b0852ea14191ddd15f7402962cd57d34c73b3eda137d7969e2c062fe7b797213 microshift-multus-4.16.63-202605251227.p0.g1133ac0.assembly.4.16.63.el9.x86_64.rpm SHA-256: 7c9ad23e2c0b1b8eca4275d7dd1f4676948ad7588bd4827458ea955a8c6a976c microshift-multus-release-info-4.16.63-202605251227.p0.g1133ac0.assembly.4.16.63.el9.noarch.rpm SHA-256: 50c3246c89450ef85ada78cff3f783eaf17338203ee92e9dc9bf071a1971ad22 microshift-networking-4.16.63-202605251227.p0.g1133ac0.assembly.4.16.63.el9.x86_64.rpm SHA-256: 7a76031469240016a0896603e57d333a9b03348fa5fbf3bb0a69672397a716f1 microshift-olm-4.16.63-202605251227.p0.g1133ac0.assembly.4.16.63.el9.x86_64.rpm SHA-256: e28cbd41627bd8774830f02d77d02fc1c19d199635ea0aefe91782c28ba2eb21 microshift-olm-release-info-4.16.63-202605251227.p0.g1133ac0.assembly.4.16.63.el9.noarch.rpm SHA-256: ffea637d406d8011c2b73581a19917e6ace645e7caa77b161877459f15f8da3b microshift-release-info-4.16.63-202605251227.p0.g1133ac0.assembly.4.16.63.el9.noarch.rpm SHA-256: 0bf54a3c99580d2d7637bfb4267f022d43b5e8e3456b366ddde11d059a1740b7 microshift-selinux-4.16.63-202605251227.p0.g1133ac0.assembly.4.16.63.el9.noarch.rpm SHA-256: a35c9ce33421fbae1ea63ae3cefd90099de780a70fc41401f8e37cc167e06fb0 Red Hat OpenShift Container Platform for Power 4.16 for RHEL 9 SRPM microshift-4.16.63-202605251227.p0.g1133ac0.assembly.4.16.63.el9.src.rpm SHA-256: 75a933b2ca45b67792a73f28bd20cd72d89e119fd4b7d2ca54900c2a3bfca818 ppc64le microshift-greenboot-4.16.63-202605251227.p0.g1133ac0.assembly.4.16.63.el9.noarch.rpm SHA-256: b0852ea14191ddd15f7402962cd57d34c73b3eda137d7969e2c062fe7b797213 microshift-release-info-4.16.63-202605251227.p0.g1133ac0.assembly.4.16.63.el9.noarch.rpm SHA-256: 0bf54a3c99580d2d7637bfb4267f022d43b5e8e3456b366ddde11d059a1740b7 microshift-selinux-4.16.63-202605251227.p0.g1133ac0.assembly.4.16.63.el9.noarch.rpm SHA-256: a35c9ce33421fbae1ea63ae3cefd90099de780a70fc41401f8e37cc167e06fb0 Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.16 for RHEL 9 SRPM microshift-4.16.63-202605251227.p0.g1133ac0.assembly.4.16.63.el9.src.rpm SHA-256: 75a933b2ca45b67792a73f28bd20cd72d89e119fd4b7d2ca54900c2a3bfca818 s390x microshift-greenboot-4.16.63-202605251227.p0.g1133ac0.assembly.4.16.63.el9.noarch.rpm SHA-256: b0852ea14191ddd15f7402962cd57d34c73b3eda137d7969e2c062fe7b797213 microshift-release-info-4.16.63-202605251227.p0.g1133ac0.assembly.4.16.63.el9.noarch.rpm SHA-256: 0bf54a3c99580d2d7637bfb4267f022d43b5e8e3456b366ddde11d059a1740b7 microshift-selinux-4.16.63-202605251227.p0.g1133ac0.assembly.4.16.63.el9.noarch.rpm SHA-256: a35c9ce33421fbae1ea63ae3cefd90099de780a70fc41401f8e37cc167e06fb0 Red Hat OpenShift Container Platform for ARM 64 4.16 for RHEL 9 SRPM microshift-4.16.63-202605251227.p0.g1133ac0.assembly.4.16.63.el9.src.rpm SHA-256: 75a933b2ca45b67792a73f28bd20cd72d89e119fd4b7d2ca54900c2a3bfca818 aarch64 microshift-4.16.63-202605251227.p0.g1133ac0.assembly.4.16.63.el9.aarch64.rpm SHA-256: aaa0273a771f97f22a455301b58edfe8183bc13f8a62095e68ae363fdf02fd85 microshift-greenboot-4.16.63-202605251227.p0.g1133ac0.assembly.4.16.63.el9.noarch.rpm SHA-256: b0852ea14191ddd15f7402962cd57d34c73b3eda137d7969e2c062fe7b797213 microshift-multus-4.16.63-202605251227.p0.g1133ac0.assembly.4.16.63.el9.aarch64.rpm SHA-256: e8fed6571c7e2d04c24cec2083f5080d5f954700f38dfe461248c71dee2c13f4 microshift-multus-release-info-4.16.63-202605251227.p0.g1133ac0.assembly.4.16.63.el9.noarch.rpm SHA-256: 50c3246c89450ef85ada78cff3f783eaf17338203ee92e9dc9bf071a1971ad22 microshift-networking-4.16.63-202605251227.p0.g1133ac0.assembly.4.16.63.el9.aarch64.rpm SHA-256: 7a48a43c26f6b1fc99dfdad02a54a2be3921c62bd77b885d286cb19609a61ae0 microshift-olm-4.16.63-202605251227.p0.g1133ac0.assembly.4.16.63.el9.aarch64.rpm SHA-256: 189b19a51d6ee17815e4817a1e6a8524e9f2c2734e6a61a41a4c92099ae0c727 microshift-olm-release-info-4.16.63-202605251227.p0.g1133ac0.assembly.4.16.63.el9.noarch.rpm SHA-256: ffea637d406d8011c2b73581a19917e6ace645e7caa77b161877459f15f8da3b microshift-release-info-4.16.63-202605251227.p0.g1133ac0.assembly.4.16.63.el9.noarch.rpm SHA-256: 0bf54a3c99580d2d7637bfb4267f022d43b5e8e3456b366ddde11d059a1740b7 microshift-selinux-4.16.63-202605251227.p0.g1133ac0.assembly.4.16.63.el9.noarch.rpm SHA-256: a35c9ce33421fbae1ea63ae3cefd90099de780a70fc41401f8e37cc167e06fb0 The Red Hat security contact is secalert@redhat.com . More contact details at https://access.redhat.com/security/team/contact/ .