Skip to content

Security: Vulnerable dependencies in 1password/scim:v2.9.14 #394

Open
Open
Security: Vulnerable dependencies in 1password/scim:v2.9.14#394
@tzahari

Description

@tzahari
tzahari
opened on Mar 31, 2026

Description

A Trivy scan of the 1password/scim:v2.9.14 image reveals 7 vulnerabilities (1 CRITICAL, 6 HIGH) in bundled Go dependencies.

Scan Results

Library CVE Severity Installed Version Fixed Version
google.golang.org/grpc CVE-2026-33186 CRITICAL v1.75.1 1.79.3
github.com/caddyserver/caddy/v2 CVE-2026-27586 HIGH v2.9.1 2.11.1
github.com/caddyserver/caddy/v2 CVE-2026-27587 HIGH v2.9.1 2.11.1
github.com/caddyserver/caddy/v2 CVE-2026-27588 HIGH v2.9.1 2.11.1
github.com/caddyserver/caddy/v2 CVE-2026-27590 HIGH v2.9.1 2.11.1
github.com/quic-go/quic-go CVE-2025-59530 HIGH v0.48.2 0.49.1
stdlib (Go) CVE-2026-25679 HIGH v1.25.7 1.25.8

Details

The most critical finding is CVE-2026-33186 in google.golang.org/grpc, which allows an authorization bypass due to improper HTTP/2 path validation.

Steps to Reproduce

trivy image --severity HIGH,CRITICAL 1password/scim:v2.9.14

Expected Outcome

A new release of the SCIM Bridge with updated dependencies that resolve the listed CVEs.

Environment

  • Image: 1password/scim:v2.9.14
  • Base OS: Debian 13.3 (clean, no OS-level vulnerabilities)
  • Scanner: Trivy v0.69
  • Scan date: 2026-03-31

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions