This security update addresses an authorization bypass vulnerability (CVE-2026-33186, CVSS 9.1 CRITICAL) in the `rhc` client due to improper HTTP/2 path validation in the underlying gRPC-Go library. The vulnerability affects systems running Red Hat Enterprise Linux 8 where `rhc` is installed and uses a vulnerable version of the grpc library. The fix is provided in the updated `rhc` packages for RHEL 8, which incorporate the patched grpc library version 1.79.3.
Red Hat Product Errata RHSA-2026:10107 - Security Advisory Issued: 2026-04-23 Updated: 2026-04-23 RHSA-2026:10107 - Security Advisory Overview Updated Packages Synopsis Important: rhc security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for rhc is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description rhc is a client tool and daemon that connects the system to Red Hat hosted services enabling system and subscription management. Security Fix(es): google.golang.org/grpc/grpc-go: google.golang.org/grpc/authz: gRPC-Go: Authorization bypass due to improper HTTP/2 path validation (CVE-2026-33186) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux for x86_64 8 x86_64 Red Hat Enterprise Linux for IBM z Systems 8 s390x Red Hat Enterprise Linux for Power, little endian 8 ppc64le Red Hat Enterprise Linux for ARM 64 8 aarch64 Red Hat Enterprise Linux for x86_64 - Extended Life Cycle 8.10 x86_64 Red Hat Enterprise Linux for ARM 64 - Extended Life Cycle 8.10 aarch64 Red Hat Enterprise Linux for Power, little endian - Extended Life Cycle 8.10 ppc64le Red Hat Enterprise Linux for IBM z Systems - Extended Life Cycle 8.10 s390x Fixes BZ - 2449833 - CVE-2026-33186 google.golang.org/grpc/grpc-go: google.golang.org/grpc/authz: gRPC-Go: Authorization bypass due to improper HTTP/2 path validation CVEs CVE-2026-33186 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux for x86_64 8 SRPM rhc-0.2.5-6.el8_10.src.rpm SHA-256: b6842b71f028fbbe08fa6b4f6334e3679040a2e8cc3d54fd0278bfc224755077 x86_64 rhc-0.2.5-6.el8_10.x86_64.rpm SHA-256: 88c42decde6a03af707c79dbec20f747215bad2aea741250f3ecf899a5b1db2c rhc-debuginfo-0.2.5-6.el8_10.x86_64.rpm SHA-256: 0f64cb35379c1ff565886f0c13f4ed3ee2898e2704f43d2a0845ce7a5b266be8 rhc-debugsource-0.2.5-6.el8_10.x86_64.rpm SHA-256: 8ff264cdd87ffe89c2b69e31785d8956f638898eeb6b15b91ab88f63c58da632 Red Hat Enterprise Linux for IBM z Systems 8 SRPM rhc-0.2.5-6.el8_10.src.rpm SHA-256: b6842b71f028fbbe08fa6b4f6334e3679040a2e8cc3d54fd0278bfc224755077 s390x rhc-0.2.5-6.el8_10.s390x.rpm SHA-256: 0a763340f0fff1b1be5c4959cf87f8ad0860f6e9af1df1435a08fede53211cfc rhc-debuginfo-0.2.5-6.el8_10.s390x.rpm SHA-256: f7f982ca5ce813126dbccec5500539277fb46c4c9128422e56d2a0b5aae91e87 rhc-debugsource-0.2.5-6.el8_10.s390x.rpm SHA-256: e42f38255d637fa3c796f036fdadf146d525ddf6ff7b4c485318bf57a1384a6b Red Hat Enterprise Linux for Power, little endian 8 SRPM rhc-0.2.5-6.el8_10.src.rpm SHA-256: b6842b71f028fbbe08fa6b4f6334e3679040a2e8cc3d54fd0278bfc224755077 ppc64le rhc-0.2.5-6.el8_10.ppc64le.rpm SHA-256: 919e15d7e62334ba92dce60377d77a296e012986a7d38da3fce3c18c1a9bc85b rhc-debuginfo-0.2.5-6.el8_10.ppc64le.rpm SHA-256: b75e489cf807a5f5bbde0f3ab4a8a882567b9d69c640973348b70417e1097190 rhc-debugsource-0.2.5-6.el8_10.ppc64le.rpm SHA-256: 635e2726305f7d04c90a489d0b1c0dc94b1b5a4622ad37a98cb43207d467b617 Red Hat Enterprise Linux for ARM 64 8 SRPM rhc-0.2.5-6.el8_10.src.rpm SHA-256: b6842b71f028fbbe08fa6b4f6334e3679040a2e8cc3d54fd0278bfc224755077 aarch64 rhc-0.2.5-6.el8_10.aarch64.rpm SHA-256: 9d29f4636ddd1c9806ac1d64818447a24a03ff7b13395d1a493ca71176d8aece rhc-debuginfo-0.2.5-6.el8_10.aarch64.rpm SHA-256: 754f7c39ec161196aece4c8eb4b16981046f45d8ad7f59441c52dfb65dfac5ab rhc-debugsource-0.2.5-6.el8_10.aarch64.rpm SHA-256: 51f7a9399aceba1bae55396a214b45b5ed9c2c66fff762d773b32db843df967e Red Hat Enterprise Linux for x86_64 - Extended Life Cycle 8.10 SRPM rhc-0.2.5-6.el8_10.src.rpm SHA-256: b6842b71f028fbbe08fa6b4f6334e3679040a2e8cc3d54fd0278bfc224755077 x86_64 rhc-0.2.5-6.el8_10.x86_64.rpm SHA-256: 88c42decde6a03af707c79dbec20f747215bad2aea741250f3ecf899a5b1db2c rhc-debuginfo-0.2.5-6.el8_10.x86_64.rpm SHA-256: 0f64cb35379c1ff565886f0c13f4ed3ee2898e2704f43d2a0845ce7a5b266be8 rhc-debugsource-0.2.5-6.el8_10.x86_64.rpm SHA-256: 8ff264cdd87ffe89c2b69e31785d8956f638898eeb6b15b91ab88f63c58da632 Red Hat Enterprise Linux for ARM 64 - Extended Life Cycle 8.10 SRPM rhc-0.2.5-6.el8_10.src.rpm SHA-256: b6842b71f028fbbe08fa6b4f6334e3679040a2e8cc3d54fd0278bfc224755077 aarch64 rhc-0.2.5-6.el8_10.aarch64.rpm SHA-256: 9d29f4636ddd1c9806ac1d64818447a24a03ff7b13395d1a493ca71176d8aece rhc-debuginfo-0.2.5-6.el8_10.aarch64.rpm SHA-256: 754f7c39ec161196aece4c8eb4b16981046f45d8ad7f59441c52dfb65dfac5ab rhc-debugsource-0.2.5-6.el8_10.aarch64.rpm SHA-256: 51f7a9399aceba1bae55396a214b45b5ed9c2c66fff762d773b32db843df967e Red Hat Enterprise Linux for Power, little endian - Extended Life Cycle 8.10 SRPM rhc-0.2.5-6.el8_10.src.rpm SHA-256: b6842b71f028fbbe08fa6b4f6334e3679040a2e8cc3d54fd0278bfc224755077 ppc64le rhc-0.2.5-6.el8_10.ppc64le.rpm SHA-256: 919e15d7e62334ba92dce60377d77a296e012986a7d38da3fce3c18c1a9bc85b rhc-debuginfo-0.2.5-6.el8_10.ppc64le.rpm SHA-256: b75e489cf807a5f5bbde0f3ab4a8a882567b9d69c640973348b70417e1097190 rhc-debugsource-0.2.5-6.el8_10.ppc64le.rpm SHA-256: 635e2726305f7d04c90a489d0b1c0dc94b1b5a4622ad37a98cb43207d467b617 Red Hat Enterprise Linux for IBM z Systems - Extended Life Cycle 8.10 SRPM rhc-0.2.5-6.el8_10.src.rpm SHA-256: b6842b71f028fbbe08fa6b4f6334e3679040a2e8cc3d54fd0278bfc224755077 s390x rhc-0.2.5-6.el8_10.s390x.rpm SHA-256: 0a763340f0fff1b1be5c4959cf87f8ad0860f6e9af1df1435a08fede53211cfc rhc-debuginfo-0.2.5-6.el8_10.s390x.rpm SHA-256: f7f982ca5ce813126dbccec5500539277fb46c4c9128422e56d2a0b5aae91e87 rhc-debugsource-0.2.5-6.el8_10.s390x.rpm SHA-256: e42f38255d637fa3c796f036fdadf146d525ddf6ff7b4c485318bf57a1384a6b The Red Hat security contact is secalert@redhat.com . More contact details at https://access.redhat.com/security/team/contact/ .