Charon Backend Binary Exposes HIGH-Severity Docker SDK AuthZ Bypass (GHSA-x744-4wpc-v9h2)

A high-severity supply chain vulnerability has been discovered within the Charon backend's core binary. The Grype scan flagged GHSA-x744-4wpc-v9h2, a critical authorization bypass flaw with a CVSS score of 8.8, embedded in the `github.com/docker/docker` SDK version v28.5.2+incompatible. This specific vulnerability allows attackers to bypass Docker Engine's AuthZ plugin security controls by sending oversized request bodies, posing a significant threat to systems that rely on these plugins for access control.

The vulnerability resides in the Docker Client SDK used by the `/app/charon` binary. While the Charon service itself only uses this SDK for container listing operations and does not configure or depend on the vulnerable server-side AuthZ plugin, the presence of the unpatched library creates a latent security exposure in the software supply chain. A fix is available in the `moby/moby` project's v29.3.1 release, but it is not yet accessible via the `docker/docker` import path that Charon's dependencies require, creating a dependency deadlock.

As an interim mitigation, the project has implemented a temporary ignore rule in its `.grype.yaml` configuration file, set to expire on April 30, 2026. This action acknowledges the minimal real-world risk to Charon's specific operations but underscores the persistent threat of an unpatched, high-severity library within its build artifact. The resolution path is now a waiting game: the team must monitor for a compatible, patched release on the correct import path before they can update the `go.mod` file and eliminate the vulnerability from the codebase.