Impact What kind of vulnerability is it? Who is impacted? Using cloudevents.WithRoundTripper to create a cloudevents.Client with an authenticated http.RoundTripper causes the go-sdk to leak credentials to arbitrary endpoints. The relevant code is here (also inline, emphasis added): if p.Client == nil { p.Client = **http.DefaultClient** } if p.roundTripper != nil { p.Client.**Transport = p.roundTripper** } When the transport is populated with an authenticated transport such as: – oauth2.Transport – idtoken.NewClient(…).Transport … then http.DefaultClient is modified with the authenticated transport and will start to send Authorization tokens to any endpoint it is used to contact! Found and patched by: @tcnghia and @mattmoor Patches…Read More