3.6.5 — Security fixes



Fixes provided in 3.6.5

16 CVE(s) fixed compared to the previous release.

Service CVE Severity Package Previously affected
admin-center CVE-2026-54512 HIGH jackson-databind 3.6.2
admin-center CVE-2026-54513 HIGH jackson-databind 3.6.2
ai-service CVE-2026-25087 HIGH pyarrow 3.6.4
ai-service CVE-2026-4372 HIGH transformers 3.6.4.1
auth-service CVE-2026-54512 HIGH jackson-databind 3.6.2
auth-service CVE-2026-54513 HIGH jackson-databind 3.6.2
console CVE-2026-54512 HIGH jackson-databind 3.6.2
console CVE-2026-54513 HIGH jackson-databind 3.6.2
dashboards-v3 CVE-2026-54512 HIGH jackson-databind 3.6.2
dashboards-v3 CVE-2026-54513 HIGH jackson-databind 3.6.2
gateway CVE-2026-54512 HIGH jackson-databind 3.6.2
gateway CVE-2026-54513 HIGH jackson-databind 3.6.2
imaging-apis CVE-2026-45186 HIGH libexpat 3.6.2
sso-service CVE-2026-54512 HIGH jackson-databind 3.6.2
sso-service CVE-2026-54513 HIGH jackson-databind 3.6.2
sso-service CVE-2026-9795 HIGH keycloak-services 3.6.2

Pre-existing — assessed

The following CVEs were present in this release and assessed as not requiring an immediate fix. See Security Advisories for up-to-date status.

Service CVE Severity Package Status Justification
admin-center CVE-2026-54512 HIGH Not Affected This service uses jackson-databind only for concrete-type deserialization (no activateDefaultTyping or @JsonTypeInfo). The PolymorphicTypeValidator bypass exploited by this CVE requires polymorphic type handling to be enabled, which is absent in this codebase.
admin-center CVE-2026-54513 HIGH Not Affected This service uses jackson-databind only for concrete-type deserialization (no activateDefaultTyping or @JsonTypeInfo). The PolymorphicTypeValidator bypass exploited by this CVE requires polymorphic type handling to be enabled, which is absent in this codebase.
ai-service CVE-2025-69720 HIGH libncursesw6 OS Vendor OS package from DHI base image. Fix depends on OS vendor (Debian security team).
auth-service CVE-2026-54512 HIGH Not Affected This service uses jackson-databind only for concrete-type deserialization (no activateDefaultTyping or @JsonTypeInfo). The PolymorphicTypeValidator bypass exploited by this CVE requires polymorphic type handling to be enabled, which is absent in this codebase.
auth-service CVE-2026-54513 HIGH Not Affected This service uses jackson-databind only for concrete-type deserialization (no activateDefaultTyping or @JsonTypeInfo). The PolymorphicTypeValidator bypass exploited by this CVE requires polymorphic type handling to be enabled, which is absent in this codebase.
console CVE-2017-0247 HIGH Not Affected False Positive; Actual implementation uses Mono, which is not affected by this CVE
console CVE-2017-0249 HIGH Not Affected False Positive; Actual implementation uses Mono, which is not affected by this CVE
console CVE-2017-11770 HIGH Not Affected False Positive; Actual implementation uses Mono, which is not affected by this CVE
console CVE-2024-0056 HIGH Not Affected
console CVE-2025-60876 HIGH Not Affected added to test temporary if VEX is working (IMAGKSL-4923)
dashboards-v3 CVE-2026-2100 HIGH p11-kit OS Vendor OS package from DHI base image. Fix depends on OS vendor (Debian security team).
gateway CVE-2026-54512 HIGH Not Affected This service uses jackson-databind only for concrete-type deserialization (no activateDefaultTyping or @JsonTypeInfo). The PolymorphicTypeValidator bypass exploited by this CVE requires polymorphic type handling to be enabled, which is absent in this codebase.
gateway CVE-2026-54513 HIGH Not Affected This service uses jackson-databind only for concrete-type deserialization (no activateDefaultTyping or @JsonTypeInfo). The PolymorphicTypeValidator bypass exploited by this CVE requires polymorphic type handling to be enabled, which is absent in this codebase.
neo4j CVE-2025-69720 HIGH libtinfo6 OS Vendor OS package from DHI base image. Fix depends on OS vendor (Debian security team).
neo4j CVE-2026-33871 HIGH netty-codec-http2 Vendor Dependent Neo4j is a third-party database component bundled as-is. Java CVEs in neo4j require an upstream Neo4j release to fix; CAST cannot patch these dependencies directly.
neo4j CVE-2026-41992 HIGH gzip OS Vendor OS package from DHI base image. Fix depends on OS vendor (Debian security team).
neo4j CVE-2026-42577 HIGH netty-transport-native-epoll Vendor Dependent Neo4j is a third-party database component bundled as-is. Java CVEs in neo4j require an upstream Neo4j release to fix; CAST cannot patch these dependencies directly.
neo4j CVE-2026-42579 HIGH netty-codec-dns Vendor Dependent Neo4j is a third-party database component bundled as-is. Java CVEs in neo4j require an upstream Neo4j release to fix; CAST cannot patch these dependencies directly.
neo4j CVE-2026-42582 HIGH netty-codec-http3 Vendor Dependent Neo4j is a third-party database component bundled as-is. Java CVEs in neo4j require an upstream Neo4j release to fix; CAST cannot patch these dependencies directly.
neo4j CVE-2026-42583 HIGH netty-codec-compression Vendor Dependent Neo4j is a third-party database component bundled as-is. Java CVEs in neo4j require an upstream Neo4j release to fix; CAST cannot patch these dependencies directly.
neo4j CVE-2026-42584 HIGH netty-codec-http Vendor Dependent Neo4j is a third-party database component bundled as-is. Java CVEs in neo4j require an upstream Neo4j release to fix; CAST cannot patch these dependencies directly.
neo4j CVE-2026-42587 HIGH netty-codec-http Vendor Dependent Neo4j is a third-party database component bundled as-is. Java CVEs in neo4j require an upstream Neo4j release to fix; CAST cannot patch these dependencies directly.
neo4j CVE-2026-44249 HIGH netty-handler Vendor Dependent Neo4j is a third-party database component bundled as-is. Java CVEs in neo4j require an upstream Neo4j release to fix; CAST cannot patch these dependencies directly.
neo4j CVE-2026-44892 HIGH netty-codec-http3 Vendor Dependent Neo4j is a third-party database component bundled as-is. Java CVEs in neo4j require an upstream Neo4j release to fix; CAST cannot patch these dependencies directly.
neo4j CVE-2026-44894 HIGH netty-codec-classes-quic Vendor Dependent Neo4j is a third-party database component bundled as-is. Java CVEs in neo4j require an upstream Neo4j release to fix; CAST cannot patch these dependencies directly.
neo4j CVE-2026-45416 HIGH netty-handler Vendor Dependent Neo4j is a third-party database component bundled as-is. Java CVEs in neo4j require an upstream Neo4j release to fix; CAST cannot patch these dependencies directly.
neo4j CVE-2026-45674 HIGH netty-resolver-dns Vendor Dependent Neo4j is a third-party database component bundled as-is. Java CVEs in neo4j require an upstream Neo4j release to fix; CAST cannot patch these dependencies directly.
neo4j CVE-2026-47691 HIGH netty-resolver-dns Vendor Dependent Neo4j is a third-party database component bundled as-is. Java CVEs in neo4j require an upstream Neo4j release to fix; CAST cannot patch these dependencies directly.
neo4j CVE-2026-48748 HIGH netty-codec-http3 Vendor Dependent Neo4j is a third-party database component bundled as-is. Java CVEs in neo4j require an upstream Neo4j release to fix; CAST cannot patch these dependencies directly.
neo4j CVE-2026-49268 HIGH shiro-core Vendor Dependent Neo4j is a third-party database component bundled as-is. Java CVEs in neo4j require an upstream Neo4j release to fix; CAST cannot patch these dependencies directly.
neo4j CVE-2026-50010 HIGH netty-handler Vendor Dependent Neo4j is a third-party database component bundled as-is. Java CVEs in neo4j require an upstream Neo4j release to fix; CAST cannot patch these dependencies directly.
neo4j CVE-2026-54369 HIGH libacl1 OS Vendor OS package from DHI base image. Fix depends on OS vendor (Debian security team).
neo4j CVE-2026-54512 HIGH jackson-databind Vendor Dependent Neo4j is a third-party database component bundled as-is. Java CVEs in neo4j require an upstream Neo4j release to fix; CAST cannot patch these dependencies directly.
neo4j CVE-2026-54513 HIGH jackson-databind Vendor Dependent Neo4j is a third-party database component bundled as-is. Java CVEs in neo4j require an upstream Neo4j release to fix; CAST cannot patch these dependencies directly.
sso-service CVE-2025-15281 HIGH OS Vendor No fix version available as of 2026-06-15. Added automatically by CVE auto-fix pipeline (IMAGKSL-4922).
sso-service CVE-2025-59250 HIGH mssql-jdbc False Positive Installed library is 13.2.1; scanner expects 13.2.1.jre. Same library, different PURL classifier.
sso-service CVE-2025-69720 HIGH libtinfo6 OS Vendor OS package from DHI base image. Fix depends on OS vendor (Debian security team).
sso-service CVE-2026-0861 HIGH OS Vendor No fix version available as of 2026-06-15. Added automatically by CVE auto-fix pipeline (IMAGKSL-4922).
sso-service CVE-2026-0915 HIGH OS Vendor No fix version available as of 2026-06-15. Added automatically by CVE auto-fix pipeline (IMAGKSL-4922).
sso-service CVE-2026-54369 HIGH libacl1 OS Vendor OS package from DHI base image. Fix depends on OS vendor (Debian security team).
sso-service CVE-2026-54512 HIGH Not Affected CAST-developed code in this Keycloak-based service (themes, API key extension) uses no polymorphic type handling (no activateDefaultTyping or @JsonTypeInfo). The PolymorphicTypeValidator bypass exploited by this CVE requires polymorphic type handling to be active, which is absent from the CAST codebase bundled here.
sso-service CVE-2026-54513 HIGH Not Affected CAST-developed code in this Keycloak-based service (themes, API key extension) uses no polymorphic type handling (no activateDefaultTyping or @JsonTypeInfo). The PolymorphicTypeValidator bypass exploited by this CVE requires polymorphic type handling to be active, which is absent from the CAST codebase bundled here.