# CVE audit findings on master (2026-04-22) scheduled CVE audit on `cee14617` flagged remaining CRITICAL/HIGH items after #705. report: https://gitlab.com/postgres-ai/database-lab/-/pipelines/2470583996 ## In the binary (`dblab-server`) - HIGH CVE-2026-33816 - `github.com/jackc/pgx/v5 v5.9.1` - memory-safety in `pgproto3.Backend.Receive`. fix: bump to v5.9.2 - HIGH CVE-2026-32280/32281/32282/32283/33810 - `stdlib v1.26.1`. fix: rebuild on Go 1.26.2. CI runs `golang:1.26` with `pull_policy: if-not-present`, so cached runners still pick up the older 1.26.1 image. need to pin to `golang:1.26.2`. - HIGH CVE-2026-34040, CVE-2026-33997 - `github.com/docker/docker v28.5.2`. v1 module path is unmaintained; fix only on `github.com/moby/moby/v2 >= 2.0.0-beta.8`. needs migration (~9 import paths, API-breaking, v2 still beta). exploit conditions (Docker AuthZ plugins, plugin install with crafted privileges) don't apply to DLE so practical risk is low. tracking separately. ## In base image (`docker:29.4.0`) shipped by Docker Inc. inside the `docker:*` image. confirmed by scanning `docker:29.4.1` directly, same CVEs. - CRITICAL CVE-2026-33186 - `google.golang.org/grpc v1.78.0` (containerd, dockerd, ctr, compose) - HIGH CVE-2026-24051, CVE-2026-39883 - `go.opentelemetry.io/otel/sdk v1.38.0` (containerd, compose, buildx) - HIGH CVE-2026-34986 - `github.com/go-jose/go-jose/v4 v4.1.3` (containerd) - HIGH CVE-2026-33747, CVE-2026-33748 - `github.com/moby/buildkit v0.27.1` (compose) - HIGH CVE-2026-35469 - `github.com/moby/spdystream v0.5.0` (buildx) - HIGH stdlib v1.25.8 - across all base-image binaries resolves when Docker Inc. ships a rebuilt `docker:29.4.x` image. nothing actionable here on our side beyond bumping the patch tag (29.4.0 -> 29.4.1). ## Related MR * Merge request: https://gitlab.com/postgres-ai/database-lab/-/merge_requests/1139