Skip to content

Security: Vulnerable dependencies in 1password/scim:v2.9.14 #394

Open
Open
Security: Vulnerable dependencies in 1password/scim:v2.9.14#394
@tzahari

Description

@tzahari
tzahari
opened on Mar 31, 2026

Description

A Trivy scan of the 1password/scim:v2.9.14 image reveals 7 vulnerabilities (1 CRITICAL, 6 HIGH) in bundled Go dependencies.

Scan Results

Library CVE Severity Installed Version Fixed Version
google.golang.org/grpc CVE-2026-33186 CRITICAL v1.75.1 1.79.3
github.com/caddyserver/caddy/v2 CVE-2026-27586 HIGH v2.9.1 2.11.1
github.com/caddyserver/caddy/v2 CVE-2026-27587 HIGH v2.9.1 2.11.1
github.com/caddyserver/caddy/v2 CVE-2026-27588 HIGH v2.9.1 2.11.1
github.com/caddyserver/caddy/v2 CVE-2026-27590 HIGH v2.9.1 2.11.1
github.com/quic-go/quic-go CVE-2025-59530 HIGH v0.48.2 0.49.1
stdlib (Go) CVE-2026-25679 HIGH v1.25.7 1.25.8

Details

The most critical finding is CVE-2026-33186 in google.golang.org/grpc, which allows an authorization bypass due to improper HTTP/2 path validation.

Steps to Reproduce

trivy image --severity HIGH,CRITICAL 1password/scim:v2.9.14

Expected Outcome

A new release of the SCIM Bridge with updated dependencies that resolve the listed CVEs.

Environment

  • Image: 1password/scim:v2.9.14
  • Base OS: Debian 13.3 (clean, no OS-level vulnerabilities)
  • Scanner: Trivy v0.69
  • Scan date: 2026-03-31

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions