3.6.5 — Security fixes
For the live, searchable view of all CVE advisories with remediation status, see the Security Advisories.
Fixes provided in 3.6.5
16 CVE(s) fixed compared to the previous release.
| Service | CVE | Severity | Package | Previously affected |
|---|---|---|---|---|
| admin-center | CVE-2026-54512 | HIGH | jackson-databind | 3.6.2 |
| admin-center | CVE-2026-54513 | HIGH | jackson-databind | 3.6.2 |
| ai-service | CVE-2026-25087 | HIGH | pyarrow | 3.6.4 |
| ai-service | CVE-2026-4372 | HIGH | transformers | 3.6.4.1 |
| auth-service | CVE-2026-54512 | HIGH | jackson-databind | 3.6.2 |
| auth-service | CVE-2026-54513 | HIGH | jackson-databind | 3.6.2 |
| console | CVE-2026-54512 | HIGH | jackson-databind | 3.6.2 |
| console | CVE-2026-54513 | HIGH | jackson-databind | 3.6.2 |
| dashboards-v3 | CVE-2026-54512 | HIGH | jackson-databind | 3.6.2 |
| dashboards-v3 | CVE-2026-54513 | HIGH | jackson-databind | 3.6.2 |
| gateway | CVE-2026-54512 | HIGH | jackson-databind | 3.6.2 |
| gateway | CVE-2026-54513 | HIGH | jackson-databind | 3.6.2 |
| imaging-apis | CVE-2026-45186 | HIGH | libexpat | 3.6.2 |
| sso-service | CVE-2026-54512 | HIGH | jackson-databind | 3.6.2 |
| sso-service | CVE-2026-54513 | HIGH | jackson-databind | 3.6.2 |
| sso-service | CVE-2026-9795 | HIGH | keycloak-services | 3.6.2 |
Pre-existing — assessed
The following CVEs were present in this release and assessed as not requiring an immediate fix. See Security Advisories for up-to-date status.
| Service | CVE | Severity | Package | Status | Justification |
|---|---|---|---|---|---|
| admin-center | CVE-2026-54512 | HIGH | Not Affected | This service uses jackson-databind only for concrete-type deserialization (no activateDefaultTyping or @JsonTypeInfo). The PolymorphicTypeValidator bypass exploited by this CVE requires polymorphic type handling to be enabled, which is absent in this codebase. | |
| admin-center | CVE-2026-54513 | HIGH | Not Affected | This service uses jackson-databind only for concrete-type deserialization (no activateDefaultTyping or @JsonTypeInfo). The PolymorphicTypeValidator bypass exploited by this CVE requires polymorphic type handling to be enabled, which is absent in this codebase. | |
| ai-service | CVE-2025-69720 | HIGH | libncursesw6 | OS Vendor | OS package from DHI base image. Fix depends on OS vendor (Debian security team). |
| auth-service | CVE-2026-54512 | HIGH | Not Affected | This service uses jackson-databind only for concrete-type deserialization (no activateDefaultTyping or @JsonTypeInfo). The PolymorphicTypeValidator bypass exploited by this CVE requires polymorphic type handling to be enabled, which is absent in this codebase. | |
| auth-service | CVE-2026-54513 | HIGH | Not Affected | This service uses jackson-databind only for concrete-type deserialization (no activateDefaultTyping or @JsonTypeInfo). The PolymorphicTypeValidator bypass exploited by this CVE requires polymorphic type handling to be enabled, which is absent in this codebase. | |
| console | CVE-2017-0247 | HIGH | Not Affected | False Positive; Actual implementation uses Mono, which is not affected by this CVE | |
| console | CVE-2017-0249 | HIGH | Not Affected | False Positive; Actual implementation uses Mono, which is not affected by this CVE | |
| console | CVE-2017-11770 | HIGH | Not Affected | False Positive; Actual implementation uses Mono, which is not affected by this CVE | |
| console | CVE-2024-0056 | HIGH | Not Affected | ||
| console | CVE-2025-60876 | HIGH | Not Affected | added to test temporary if VEX is working (IMAGKSL-4923) | |
| dashboards-v3 | CVE-2026-2100 | HIGH | p11-kit | OS Vendor | OS package from DHI base image. Fix depends on OS vendor (Debian security team). |
| gateway | CVE-2026-54512 | HIGH | Not Affected | This service uses jackson-databind only for concrete-type deserialization (no activateDefaultTyping or @JsonTypeInfo). The PolymorphicTypeValidator bypass exploited by this CVE requires polymorphic type handling to be enabled, which is absent in this codebase. | |
| gateway | CVE-2026-54513 | HIGH | Not Affected | This service uses jackson-databind only for concrete-type deserialization (no activateDefaultTyping or @JsonTypeInfo). The PolymorphicTypeValidator bypass exploited by this CVE requires polymorphic type handling to be enabled, which is absent in this codebase. | |
| neo4j | CVE-2025-69720 | HIGH | libtinfo6 | OS Vendor | OS package from DHI base image. Fix depends on OS vendor (Debian security team). |
| neo4j | CVE-2026-33871 | HIGH | netty-codec-http2 | Vendor Dependent | Neo4j is a third-party database component bundled as-is. Java CVEs in neo4j require an upstream Neo4j release to fix; CAST cannot patch these dependencies directly. |
| neo4j | CVE-2026-41992 | HIGH | gzip | OS Vendor | OS package from DHI base image. Fix depends on OS vendor (Debian security team). |
| neo4j | CVE-2026-42577 | HIGH | netty-transport-native-epoll | Vendor Dependent | Neo4j is a third-party database component bundled as-is. Java CVEs in neo4j require an upstream Neo4j release to fix; CAST cannot patch these dependencies directly. |
| neo4j | CVE-2026-42579 | HIGH | netty-codec-dns | Vendor Dependent | Neo4j is a third-party database component bundled as-is. Java CVEs in neo4j require an upstream Neo4j release to fix; CAST cannot patch these dependencies directly. |
| neo4j | CVE-2026-42582 | HIGH | netty-codec-http3 | Vendor Dependent | Neo4j is a third-party database component bundled as-is. Java CVEs in neo4j require an upstream Neo4j release to fix; CAST cannot patch these dependencies directly. |
| neo4j | CVE-2026-42583 | HIGH | netty-codec-compression | Vendor Dependent | Neo4j is a third-party database component bundled as-is. Java CVEs in neo4j require an upstream Neo4j release to fix; CAST cannot patch these dependencies directly. |
| neo4j | CVE-2026-42584 | HIGH | netty-codec-http | Vendor Dependent | Neo4j is a third-party database component bundled as-is. Java CVEs in neo4j require an upstream Neo4j release to fix; CAST cannot patch these dependencies directly. |
| neo4j | CVE-2026-42587 | HIGH | netty-codec-http | Vendor Dependent | Neo4j is a third-party database component bundled as-is. Java CVEs in neo4j require an upstream Neo4j release to fix; CAST cannot patch these dependencies directly. |
| neo4j | CVE-2026-44249 | HIGH | netty-handler | Vendor Dependent | Neo4j is a third-party database component bundled as-is. Java CVEs in neo4j require an upstream Neo4j release to fix; CAST cannot patch these dependencies directly. |
| neo4j | CVE-2026-44892 | HIGH | netty-codec-http3 | Vendor Dependent | Neo4j is a third-party database component bundled as-is. Java CVEs in neo4j require an upstream Neo4j release to fix; CAST cannot patch these dependencies directly. |
| neo4j | CVE-2026-44894 | HIGH | netty-codec-classes-quic | Vendor Dependent | Neo4j is a third-party database component bundled as-is. Java CVEs in neo4j require an upstream Neo4j release to fix; CAST cannot patch these dependencies directly. |
| neo4j | CVE-2026-45416 | HIGH | netty-handler | Vendor Dependent | Neo4j is a third-party database component bundled as-is. Java CVEs in neo4j require an upstream Neo4j release to fix; CAST cannot patch these dependencies directly. |
| neo4j | CVE-2026-45674 | HIGH | netty-resolver-dns | Vendor Dependent | Neo4j is a third-party database component bundled as-is. Java CVEs in neo4j require an upstream Neo4j release to fix; CAST cannot patch these dependencies directly. |
| neo4j | CVE-2026-47691 | HIGH | netty-resolver-dns | Vendor Dependent | Neo4j is a third-party database component bundled as-is. Java CVEs in neo4j require an upstream Neo4j release to fix; CAST cannot patch these dependencies directly. |
| neo4j | CVE-2026-48748 | HIGH | netty-codec-http3 | Vendor Dependent | Neo4j is a third-party database component bundled as-is. Java CVEs in neo4j require an upstream Neo4j release to fix; CAST cannot patch these dependencies directly. |
| neo4j | CVE-2026-49268 | HIGH | shiro-core | Vendor Dependent | Neo4j is a third-party database component bundled as-is. Java CVEs in neo4j require an upstream Neo4j release to fix; CAST cannot patch these dependencies directly. |
| neo4j | CVE-2026-50010 | HIGH | netty-handler | Vendor Dependent | Neo4j is a third-party database component bundled as-is. Java CVEs in neo4j require an upstream Neo4j release to fix; CAST cannot patch these dependencies directly. |
| neo4j | CVE-2026-54369 | HIGH | libacl1 | OS Vendor | OS package from DHI base image. Fix depends on OS vendor (Debian security team). |
| neo4j | CVE-2026-54512 | HIGH | jackson-databind | Vendor Dependent | Neo4j is a third-party database component bundled as-is. Java CVEs in neo4j require an upstream Neo4j release to fix; CAST cannot patch these dependencies directly. |
| neo4j | CVE-2026-54513 | HIGH | jackson-databind | Vendor Dependent | Neo4j is a third-party database component bundled as-is. Java CVEs in neo4j require an upstream Neo4j release to fix; CAST cannot patch these dependencies directly. |
| sso-service | CVE-2025-15281 | HIGH | OS Vendor | No fix version available as of 2026-06-15. Added automatically by CVE auto-fix pipeline (IMAGKSL-4922). | |
| sso-service | CVE-2025-59250 | HIGH | mssql-jdbc | False Positive | Installed library is 13.2.1; scanner expects 13.2.1.jre. Same library, different PURL classifier. |
| sso-service | CVE-2025-69720 | HIGH | libtinfo6 | OS Vendor | OS package from DHI base image. Fix depends on OS vendor (Debian security team). |
| sso-service | CVE-2026-0861 | HIGH | OS Vendor | No fix version available as of 2026-06-15. Added automatically by CVE auto-fix pipeline (IMAGKSL-4922). | |
| sso-service | CVE-2026-0915 | HIGH | OS Vendor | No fix version available as of 2026-06-15. Added automatically by CVE auto-fix pipeline (IMAGKSL-4922). | |
| sso-service | CVE-2026-54369 | HIGH | libacl1 | OS Vendor | OS package from DHI base image. Fix depends on OS vendor (Debian security team). |
| sso-service | CVE-2026-54512 | HIGH | Not Affected | CAST-developed code in this Keycloak-based service (themes, API key extension) uses no polymorphic type handling (no activateDefaultTyping or @JsonTypeInfo). The PolymorphicTypeValidator bypass exploited by this CVE requires polymorphic type handling to be active, which is absent from the CAST codebase bundled here. | |
| sso-service | CVE-2026-54513 | HIGH | Not Affected | CAST-developed code in this Keycloak-based service (themes, API key extension) uses no polymorphic type handling (no activateDefaultTyping or @JsonTypeInfo). The PolymorphicTypeValidator bypass exploited by this CVE requires polymorphic type handling to be active, which is absent from the CAST codebase bundled here. |