It looks like the latest version of metrics-server (v0.8.1) is currently affected by CVE-2026-33186. Snyk CLI report below:
> snyk container test registry.k8s.io/metrics-server/metrics-server:v0.8.1
Testing registry.k8s.io/metrics-server/metrics-server:v0.8.1...
Organization: <redacted>
Package manager: deb
Project name: docker-image|registry.k8s.io/metrics-server/metrics-server
Docker image: registry.k8s.io/metrics-server/metrics-server:v0.8.1
Platform: linux/amd64
Target OS: Distroless
Licenses: enabled
✔ Tested 4 dependencies for known issues, no vulnerable paths found.
-------------------------------------------------------
Testing registry.k8s.io/metrics-server/metrics-server:v0.8.1...
✗ Critical severity vulnerability found in google.golang.org/grpc
Description: Incorrect Authorization
Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOOGLEGOLANGORGGRPC-15691172
Introduced through: google.golang.org/grpc@v1.72.0
From: google.golang.org/grpc@v1.72.0
Fixed in: 1.79.3
Organization: <redacted>
Package manager: gomodules
Target file: /metrics-server
Project name: sigs.k8s.io/metrics-server
Docker image: registry.k8s.io/metrics-server/metrics-server:v0.8.1
Licenses: enabled
Tested 853 dependencies for known issues, found 2 issues.
Note: the other finding is tracked in #1774.
It looks like the latest version of metrics-server (v0.8.1) is currently affected by CVE-2026-33186. Snyk CLI report below:
Note: the other finding is tracked in #1774.