3.6.3 — Security fixes
For the live, searchable view of all CVE advisories with remediation status, see the Security Advisories.
Fixes provided in 3.6.3
60 CVE(s) fixed compared to the previous release.
| Service | CVE | Severity | Package | Previously affected |
|---|---|---|---|---|
| admin-center | CVE-2026-41284 | HIGH | tomcat-embed-core | 3.6.2 |
| admin-center | CVE-2026-41293 | CRITICAL | tomcat-embed-core | 3.6.2 |
| admin-center | CVE-2026-42498 | HIGH | tomcat-embed-core | 3.6.2 |
| admin-center | CVE-2026-43512 | CRITICAL | tomcat-embed-core | 3.6.2 |
| admin-center | CVE-2026-43513 | HIGH | tomcat-embed-core | 3.6.2 |
| admin-center | CVE-2026-43515 | CRITICAL | tomcat-embed-core | 3.6.2 |
| analysis-node | CVE-2026-42198 | HIGH | postgresql | 3.6.3_core8.4.10 |
| console | CVE-2026-41284 | HIGH | tomcat-embed-core | 3.6.2 |
| console | CVE-2026-41293 | CRITICAL | tomcat-embed-core | 3.6.2 |
| console | CVE-2026-42498 | HIGH | tomcat-embed-core | 3.6.2 |
| console | CVE-2026-43512 | CRITICAL | tomcat-embed-core | 3.6.2 |
| console | CVE-2026-43513 | HIGH | tomcat-embed-core | 3.6.2 |
| console | CVE-2026-43515 | CRITICAL | tomcat-embed-core | 3.6.2 |
| dashboards-v3 | CVE-2026-33811 | HIGH | stdlib | 3.6.2 |
| dashboards-v3 | CVE-2026-33814 | HIGH | stdlib | 3.6.2 |
| dashboards-v3 | CVE-2026-39820 | HIGH | stdlib | 3.6.2 |
| dashboards-v3 | CVE-2026-39823 | HIGH | stdlib | 3.6.2 |
| dashboards-v3 | CVE-2026-39825 | HIGH | stdlib | 3.6.2 |
| dashboards-v3 | CVE-2026-39836 | HIGH | stdlib | 3.6.2 |
| dashboards-v3 | CVE-2026-41284 | HIGH | tomcat-embed-core | 3.6.2 |
| dashboards-v3 | CVE-2026-41293 | CRITICAL | tomcat-embed-core | 3.6.2 |
| dashboards-v3 | CVE-2026-42198 | HIGH | postgresql | 3.6.3 |
| dashboards-v3 | CVE-2026-42498 | HIGH | tomcat-embed-core | 3.6.2 |
| dashboards-v3 | CVE-2026-42499 | HIGH | stdlib | 3.6.2 |
| dashboards-v3 | CVE-2026-42504 | HIGH | stdlib | 3.6.2 |
| dashboards-v3 | CVE-2026-43512 | CRITICAL | tomcat-embed-core | 3.6.2 |
| dashboards-v3 | CVE-2026-43513 | HIGH | tomcat-embed-core | 3.6.2 |
| dashboards-v3 | CVE-2026-43515 | CRITICAL | tomcat-embed-core | 3.6.2 |
| etl-service | CVE-2026-33811 | HIGH | stdlib | 3.6.2 |
| etl-service | CVE-2026-33814 | HIGH | stdlib | 3.6.2 |
| etl-service | CVE-2026-39820 | HIGH | stdlib | 3.6.2 |
| etl-service | CVE-2026-39823 | HIGH | stdlib | 3.6.2 |
| etl-service | CVE-2026-39825 | HIGH | stdlib | 3.6.2 |
| etl-service | CVE-2026-39836 | HIGH | stdlib | 3.6.2 |
| etl-service | CVE-2026-42499 | HIGH | stdlib | 3.6.2 |
| gateway | CVE-2026-41284 | HIGH | tomcat-embed-core | 3.6.2 |
| gateway | CVE-2026-41293 | CRITICAL | tomcat-embed-core | 3.6.2 |
| gateway | CVE-2026-42498 | HIGH | tomcat-embed-core | 3.6.2 |
| gateway | CVE-2026-43512 | CRITICAL | tomcat-embed-core | 3.6.2 |
| gateway | CVE-2026-43513 | HIGH | tomcat-embed-core | 3.6.2 |
| gateway | CVE-2026-43515 | CRITICAL | tomcat-embed-core | 3.6.2 |
| neo4j | CVE-2026-33811 | HIGH | stdlib | 3.6.2 |
| neo4j | CVE-2026-33814 | HIGH | stdlib | 3.6.2 |
| neo4j | CVE-2026-39820 | HIGH | stdlib | 3.6.2 |
| neo4j | CVE-2026-39823 | HIGH | stdlib | 3.6.2 |
| neo4j | CVE-2026-39825 | HIGH | stdlib | 3.6.2 |
| neo4j | CVE-2026-39826 | HIGH | stdlib | 3.6.2 |
| neo4j | CVE-2026-39836 | HIGH | stdlib | 3.6.2 |
| neo4j | CVE-2026-42499 | HIGH | stdlib | 3.6.2 |
| sso-service | CVE-2026-29111 | HIGH | libsystemd0 | 3.6.2 |
| sso-service | CVE-2026-42578 | HIGH | netty-handler-proxy | 3.6.2 |
| sso-service | CVE-2026-42579 | CRITICAL | netty-codec-dns | 3.6.2 |
| sso-service | CVE-2026-4878 | HIGH | libcap2 | 3.6.2 |
| viewer | CVE-2026-33811 | HIGH | stdlib | 3.6.2 |
| viewer | CVE-2026-33814 | HIGH | stdlib | 3.6.2 |
| viewer | CVE-2026-39820 | HIGH | stdlib | 3.6.2 |
| viewer | CVE-2026-39823 | HIGH | stdlib | 3.6.2 |
| viewer | CVE-2026-39825 | HIGH | stdlib | 3.6.2 |
| viewer | CVE-2026-39836 | HIGH | stdlib | 3.6.2 |
| viewer | CVE-2026-42499 | HIGH | stdlib | 3.6.2 |
Security patch 3.6.3.1
4 CVE(s) fixed in the 3.6.3.1 security patch.
| Service | CVE | Severity | Package | Previously affected |
|---|---|---|---|---|
| ai-service | CVE-2026-25087 | HIGH | pyarrow | 3.6.3 |
| ai-service | CVE-2026-44843 | HIGH | langchain-core | 3.6.3 |
| ai-service | CVE-2026-45134 | HIGH | langchain-classic | 3.6.3 |
| imaging-apis | CVE-2025-22868 | HIGH | golang.org/x/oauth2 | 3.6.3 |
Pre-existing — assessed
The following CVEs were present in this release and assessed as not requiring an immediate fix. See Security Advisories for up-to-date status.
| Service | CVE | Severity | Package | Status | Justification |
|---|---|---|---|---|---|
| ai-service | CVE-2025-69720 | HIGH | ncurses | OS Vendor | Debian NODSA. Debian Security Team does not require an immediate fix. |
| analysis-node | CVE-2025-26646 | HIGH | Microsoft.Build.Tasks.Core | Not Affected | –no-restore skips the NuGet restore pipeline where this CVE lives. |
| analysis-node | CVE-2025-55247 | HIGH | Microsoft.Build.Tasks.Core | Not Affected | MSBuild input comes exclusively from CAST’s own tooling — no external input. |
| analysis-node | CVE-2025-67030 | HIGH | plexus-utils | Not Affected | The vulnerable code path is never invoked at runtime. |
| analysis-node | CVE-2025-69720 | HIGH | ncurses | OS Vendor | Debian NODSA. Debian Security Team does not require an immediate fix. |
| analysis-node | CVE-2026-23949 | HIGH | jaraco.context | Not Affected | jaraco.context is a transitive dependency of pip/setuptools used only during the container build phase. It is not installed or reachable at runtime in the analysis-node service. |
| analysis-node | CVE-2026-24049 | HIGH | wheel | Not Affected | wheel is a build-time tool only — not used at runtime. |
| analysis-node | CVE-2026-26171 | HIGH | System.Security.Cryptography.Xml | Not Affected | Not loaded during any runtime code path. |
| analysis-node | CVE-2026-33116 | HIGH | System.Security.Cryptography.Xml | Not Affected | Not loaded during any runtime code path. |
| analysis-node | CVE-2026-42198 | HIGH | postgresql | Fix Incoming | Exploitation requires an attacker to control the PostgreSQL server, which is the customer’s own trusted database. Upgrading postgresql JDBC driver to 42.7.11 in core 8.4.11 regardless. |
| analysis-node | CVE-2026-44431 | HIGH | urllib3 | Not Affected | Not used in any production code path. |
| analysis-node | CVE-2026-44432 | HIGH | urllib3 | Not Affected | Not used in any production code path. |
| neo4j | CVE-2025-69720 | HIGH | ncurses | OS Vendor | Debian NODSA. Debian Security Team does not require an immediate fix. |
| neo4j | CVE-2026-33871 | HIGH | netty-codec-http2 | Vendor Dependent | Requires Neo4j upgrade to a version shipping Netty ≥ 4.2.13.Final. Neo4j 2026.05 includes the fix but APOC Extended has not yet been released for this version, blocking the upgrade. |
| neo4j | CVE-2026-42577 | HIGH | netty-transport-native-epoll | Vendor Dependent | Requires Neo4j upgrade to a version shipping Netty ≥ 4.2.13.Final. Neo4j 2026.05 includes the fix but APOC Extended has not yet been released for this version, blocking the upgrade. |
| neo4j | CVE-2026-42579 | HIGH | netty-codec-dns | Vendor Dependent | Requires Neo4j upgrade to a version shipping Netty ≥ 4.2.13.Final. Neo4j 2026.05 includes the fix but APOC Extended has not yet been released for this version, blocking the upgrade. |
| neo4j | CVE-2026-42582 | HIGH | netty-codec-http3 | Vendor Dependent | Requires Neo4j upgrade to a version shipping Netty ≥ 4.2.13.Final. Neo4j 2026.05 includes the fix but APOC Extended has not yet been released for this version, blocking the upgrade. |
| neo4j | CVE-2026-42583 | HIGH | netty-codec-compression | Vendor Dependent | Requires Neo4j upgrade to a version shipping Netty ≥ 4.2.13.Final. Neo4j 2026.05 includes the fix but APOC Extended has not yet been released for this version, blocking the upgrade. |
| neo4j | CVE-2026-42584 | HIGH | netty-codec-http | Vendor Dependent | Requires Neo4j upgrade to a version shipping Netty ≥ 4.2.13.Final. Neo4j 2026.05 includes the fix but APOC Extended has not yet been released for this version, blocking the upgrade. |
| neo4j | CVE-2026-42587 | HIGH | netty-codec-http | Vendor Dependent | Requires Neo4j upgrade to a version shipping Netty ≥ 4.2.13.Final. Neo4j 2026.05 includes the fix but APOC Extended has not yet been released for this version, blocking the upgrade. |
| neo4j | CVE-2026-44249 | HIGH | netty-handler | Vendor Dependent | Netty 4.1.133.Final bundled inside Neo4j. Fix available in 4.1.135.Final. Requires Neo4j upgrade. |
| neo4j | CVE-2026-45416 | HIGH | netty-handler | Vendor Dependent | Netty 4.1.133.Final bundled inside Neo4j. Fix available in 4.1.135.Final. Requires Neo4j upgrade. |
| sso-service | CVE-2025-59250 | HIGH | mssql-jdbc | False Positive | Installed library is 13.2.1; scanner expects 13.2.1.jre. Same library, different PURL classifier. |
| sso-service | CVE-2025-69720 | HIGH | ncurses | OS Vendor | Debian NODSA. Debian Security Team does not require an immediate fix. |
| sso-service | CVE-2026-7307 | HIGH | keycloak-saml-core | Vendor Dependent | Fix requires an upstream Keycloak release. CAST is monitoring the Keycloak project and will integrate the fix once available. |
| sso-service | CVE-2026-7504 | HIGH | keycloak-services | Vendor Dependent | Fix requires an upstream Keycloak release. CAST is monitoring the Keycloak project and will integrate the fix once available. |
| sso-service | CVE-2026-7507 | HIGH | keycloak-services | Vendor Dependent | Fix requires an upstream Keycloak release. CAST is monitoring the Keycloak project and will integrate the fix once available. |
| sso-service | CVE-2026-7571 | HIGH | keycloak-services | Vendor Dependent | Fix requires an upstream Keycloak release. CAST is monitoring the Keycloak project and will integrate the fix once available. |