Skip to content

fix(security): upgrade google-adk minimum version to 1.28.1 (CVE-2026-4810)#92

Closed
adityamehra wants to merge 2 commits into
mainfrom
fix/vuln-88790-upgrade-google-adk
Closed

fix(security): upgrade google-adk minimum version to 1.28.1 (CVE-2026-4810)#92
adityamehra wants to merge 2 commits into
mainfrom
fix/vuln-88790-upgrade-google-adk

Conversation

@adityamehra

Copy link
Copy Markdown
Member

Summary

  • Bumps the minimum required google-adk version from 1.14.1 to 1.28.1 in splunk-ao-adk/pyproject.toml
  • Updates examples/agent/google-adk/requirements.txt to enforce the same minimum safe version

Security

CVE-2026-4810 (CRITICAL) — Code Injection and Missing Authentication vulnerability in Google Agent Development Kit (ADK) versions 1.7.0 through < 1.28.1. Allows an unauthenticated remote attacker to execute arbitrary code on the server hosting the ADK instance.

  • Affected: google-adk >= 1.7.0, < 1.28.1
  • Remediation: google-adk >= 1.28.1
  • Jira: VULN-88790

Test plan

  • All 252 unit tests in splunk-ao-adk pass against the installed google-adk 1.36.0
  • google.adk.agents.llm_agent.Agent import verified working
  • README OpenAI example verified end-to-end against rc0 Splunk AO environment

Made with Cursor

adityamehra and others added 2 commits July 16, 2026 13:41
…_span, galileo-otel → splunk-ao-otel

Remove remaining Galileo branding from the OTel integration layer:
- Import alias: `Span as GalileoSpan` → `Span as SplunkAOSpan`
- Parameter/variable names: `galileo_span` → `splunk_ao_span` across otel.py, handler.py, and utils
- gen_ai.system attribute value: `"galileo-otel"` → `"splunk-ao-otel"`
- Test class/method names updated to match
- Examples updated: start_galileo_span → start_splunk_ao_span, galileo_span_processor → splunk_ao_span_processor

Co-authored-by: Cursor <cursoragent@cursor.com>
…-4810)

Bumps the minimum required version of google-adk from 1.14.1 to 1.28.1
to remediate CVE-2026-4810 (CRITICAL) — a Code Injection and Missing
Authentication vulnerability that allows unauthenticated remote code
execution on servers hosting ADK instances.

Resolves: VULN-88790
Co-authored-by: Cursor <cursoragent@cursor.com>
@adityamehra

Copy link
Copy Markdown
Member Author

Closing to rebase onto main instead of rename/galileo-to-splunk-ao branch.

@github-actions github-actions Bot locked and limited conversation to collaborators Jul 16, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant