Hi,
We're using clickhouse-backup v2.6.43 in our product (SUSE Observability) and our CVE scanning is flagging google.golang.org/grpc v1.79.1 for CVE-2026-33186 (GHSA-p77j-4mvh-x3m3, CVSS 9.1 — authorization bypass via malformed HTTP/2 headers). The fix landed in grpc v1.79.3.
I see that master already has grpc v1.80.0 (via the google.golang.org/api bump), so the fix is already in your codebase — it just hasn't been released yet.
Would it be possible to cut a v2.6.44 release? That would resolve this CVE for all downstream consumers without requiring anyone to track master.
Thanks for the great tool and the active maintenance.
Hi,
We're using clickhouse-backup v2.6.43 in our product (SUSE Observability) and our CVE scanning is flagging google.golang.org/grpc v1.79.1 for CVE-2026-33186 (GHSA-p77j-4mvh-x3m3, CVSS 9.1 — authorization bypass via malformed HTTP/2 headers). The fix landed in grpc v1.79.3.
I see that master already has grpc v1.80.0 (via the google.golang.org/api bump), so the fix is already in your codebase — it just hasn't been released yet.
Would it be possible to cut a v2.6.44 release? That would resolve this CVE for all downstream consumers without requiring anyone to track master.
Thanks for the great tool and the active maintenance.