3.6.2 — Security fixes
For the live, searchable view of all CVE advisories with remediation status, see the Security Advisories.
Fixes provided in 3.6.2
11 CVE(s) fixed compared to the previous release.
| Service | CVE | Severity | Package | Previously affected |
|---|---|---|---|---|
| ai-service | CVE-2026-44432 | HIGH | 3.6.1 | |
| analysis-node | CVE-2026-34982 | HIGH | 3.6.1_core8.4.10 | |
| analysis-node | CVE-2026-35535 | HIGH | 3.6.1_core8.4.10 | |
| analysis-node | CVE-2026-41035 | HIGH | 3.6.1_core8.4.10 | |
| analysis-node | CVE-2026-41066 | HIGH | 3.6.1_core8.4.10 | |
| analysis-node | CVE-2026-4775 | HIGH | 3.6.1_core8.4.10 | |
| imaging-apis | CVE-2026-33811 | HIGH | 3.6.1 | |
| imaging-apis | CVE-2026-33814 | HIGH | 3.6.1 | |
| imaging-apis | CVE-2026-39820 | HIGH | 3.6.1 | |
| imaging-apis | CVE-2026-39836 | HIGH | 3.6.1 | |
| imaging-apis | CVE-2026-42499 | HIGH | 3.6.1 |
Pre-existing — assessed
The following CVEs were present in this release and assessed as not requiring an immediate fix. See Security Advisories for up-to-date status.
| Service | CVE | Severity | Package | Status | Justification |
|---|---|---|---|---|---|
| ai-service | CVE-2025-69720 | HIGH | libncursesw6 | OS Vendor | Debian NODSA. Debian Security Team does not require an immediate fix. |
| analysis-node | CVE-2025-26646 | HIGH | Microsoft.Build.Tasks.Core | Not Affected | –no-restore skips the NuGet restore pipeline where this CVE lives. |
| analysis-node | CVE-2025-55247 | HIGH | Microsoft.Build.Tasks.Core | Not Affected | MSBuild input comes exclusively from CAST’s own tooling — no external input. |
| analysis-node | CVE-2025-67030 | HIGH | plexus-utils | Not Affected | The vulnerable code path is never invoked at runtime. |
| analysis-node | CVE-2025-69720 | HIGH | libtinfo6 | OS Vendor | Debian NODSA. Debian Security Team does not require an immediate fix. |
| analysis-node | CVE-2026-23949 | HIGH | jaraco.context | Not Affected | jaraco.context is a transitive dependency of pip/setuptools used only during the container build phase. It is not installed or reachable at runtime in the analysis-node service. |
| analysis-node | CVE-2026-24049 | HIGH | wheel | Not Affected | wheel is a build-time tool only — not used at runtime. |
| analysis-node | CVE-2026-26171 | HIGH | System.Security.Cryptography.Xml | Not Affected | Not loaded during any runtime code path. |
| analysis-node | CVE-2026-33116 | HIGH | System.Security.Cryptography.Xml | Not Affected | Not loaded during any runtime code path. |
| analysis-node | CVE-2026-42198 | HIGH | postgresql | Fix Incoming | Exploitation requires an attacker to control the PostgreSQL server, which is the customer’s own trusted database. Upgrading postgresql JDBC driver to 42.7.11 in core 8.4.11 regardless. |
| analysis-node | CVE-2026-44431 | HIGH | urllib3 | Not Affected | Not used in any production code path. |
| analysis-node | CVE-2026-44432 | HIGH | urllib3 | Not Affected | Not used in any production code path. |
| dashboards-v3 | CVE-2026-42198 | HIGH | postgresql | Not Affected | Exploitation requires an attacker to control the PostgreSQL server, which is the customer’s own trusted database. |
| neo4j | CVE-2025-69720 | HIGH | libtinfo6 | OS Vendor | Debian NODSA. Debian Security Team does not require an immediate fix. |
| neo4j | CVE-2026-33871 | HIGH | netty-codec-http2 | Vendor Dependent | Requires Neo4j upgrade to a version shipping Netty ≥ 4.2.13.Final. Neo4j 2026.05 includes the fix but APOC Extended has not yet been released for this version, blocking the upgrade. |
| neo4j | CVE-2026-42577 | HIGH | netty-transport-native-epoll | Vendor Dependent | Requires Neo4j upgrade to a version shipping Netty ≥ 4.2.13.Final. Neo4j 2026.05 includes the fix but APOC Extended has not yet been released for this version, blocking the upgrade. |
| neo4j | CVE-2026-42579 | HIGH | netty-codec-dns | Vendor Dependent | Requires Neo4j upgrade to a version shipping Netty ≥ 4.2.13.Final. Neo4j 2026.05 includes the fix but APOC Extended has not yet been released for this version, blocking the upgrade. |
| neo4j | CVE-2026-42582 | HIGH | netty-codec-http3 | Vendor Dependent | Requires Neo4j upgrade to a version shipping Netty ≥ 4.2.13.Final. Neo4j 2026.05 includes the fix but APOC Extended has not yet been released for this version, blocking the upgrade. |
| neo4j | CVE-2026-42583 | HIGH | netty-codec-compression | Vendor Dependent | Requires Neo4j upgrade to a version shipping Netty ≥ 4.2.13.Final. Neo4j 2026.05 includes the fix but APOC Extended has not yet been released for this version, blocking the upgrade. |
| neo4j | CVE-2026-42584 | HIGH | netty-codec-http | Vendor Dependent | Requires Neo4j upgrade to a version shipping Netty ≥ 4.2.13.Final. Neo4j 2026.05 includes the fix but APOC Extended has not yet been released for this version, blocking the upgrade. |
| neo4j | CVE-2026-42587 | HIGH | netty-codec-http | Vendor Dependent | Requires Neo4j upgrade to a version shipping Netty ≥ 4.2.13.Final. Neo4j 2026.05 includes the fix but APOC Extended has not yet been released for this version, blocking the upgrade. |
| sso-service | CVE-2025-59250 | HIGH | mssql-jdbc | False Positive | Installed library is 13.2.1; scanner expects 13.2.1.jre. Same library, different PURL classifier. |
| sso-service | CVE-2025-69720 | HIGH | libtinfo6 | OS Vendor | Debian NODSA. Debian Security Team does not require an immediate fix. |