3.6 - Security fixes
3.6.0-funcrel
Fixes provided
| CAST service | CVE | Severity | Description/Package | Affected CAST release |
|---|---|---|---|---|
| admin-center | CVE-2026-22184 | HIGH | zlib: zlib: Arbitrary code execution via buffer overflow in untgz utility | 3.5.9-funcrel |
| admin-center | CVE-2026-22739 | HIGH | Spring Cloud Config Server: Path Traversal via Profile Parameter Allows Arbitrary File Access | 3.5.9-funcrel |
| admin-center | CVE-2026-29129 | HIGH | Apache Tomcat: Apache Tomcat: Configured cipher preference order not preserved | 3.5.9-funcrel |
| admin-center | CVE-2026-29145 | CRITICAL | Apache Tomcat: Apache Tomcat: Authentication bypass due to CLIENT_CERT soft fail misconfiguration | 3.5.9-funcrel |
| admin-center | CVE-2026-33870 | HIGH | io.netty/netty-codec-http: Netty: Request smuggling via incorrect parsing of HTTP/1.1 chunked transfer encoding extension values | 3.5.9-funcrel |
| admin-center | CVE-2026-33871 | HIGH | netty: Netty: Denial of Service via HTTP/2 CONTINUATION frame flood | 3.5.9-funcrel |
| admin-center | CVE-2026-34197 | HIGH | org.apache.activemq/activemq-broker: org.apache.activemq/activemq-all: Apache ActiveMQ: Arbitrary Code Execution via crafted discovery URI in Jolokia JMX-HTTP bridge | 3.5.9-funcrel |
| admin-center | CVE-2026-34483 | HIGH | Apache Tomcat: Apache Tomcat: Information disclosure due to improper encoding in JsonAccessLogValve | 3.5.9-funcrel |
| admin-center | CVE-2026-34487 | HIGH | Apache Tomcat: Apache Tomcat: Information disclosure via sensitive data in log files | 3.5.9-funcrel |
| admin-center | CVE-2026-39304 | HIGH | Apache ActiveMQ Client: Apache ActiveMQ Broker: Apache ActiveMQ: Apache ActiveMQ: Denial of Service due to TLSv1.3 KeyUpdate memory exhaustion | 3.5.9-funcrel |
| admin-center | CVE-2026-40200 | HIGH | musl: musl libc: Arbitrary code execution and denial of service via stack-based memory corruption in qsort | 3.5.9-funcrel |
| ai-service | CVE-2026-0861 | HIGH | glibc: Integer overflow in memalign leads to heap corruption | 3.5.9-funcrel |
| ai-service | CVE-2026-29111 | HIGH | systemd: systemd: Arbitrary code execution or Denial of Service via spurious IPC API call data | 3.5.9-funcrel |
| analysis-node | CVE-2026-28417 | HIGH | vim: Vim: Arbitrary code execution via OS command injection in the netrw plugin | 3.5.9_core8.4.10 |
| analysis-node | CVE-2026-28421 | HIGH | vim: Vim: Denial of service and information disclosure via crafted swap file | 3.5.9_core8.4.10 |
| analysis-node | CVE-2026-33412 | HIGH | vim: Vim: Arbitrary code execution via command injection in glob() function | 3.5.9_core8.4.10 |
| auth-service | CVE-2026-22184 | HIGH | zlib: zlib: Arbitrary code execution via buffer overflow in untgz utility | 3.5.9-funcrel |
| auth-service | CVE-2026-22732 | CRITICAL | Spring Security: Spring Security: Security policy bypass and information disclosure due to unwritten HTTP headers | 3.5.9-funcrel |
| auth-service | CVE-2026-33870 | HIGH | io.netty/netty-codec-http: Netty: Request smuggling via incorrect parsing of HTTP/1.1 chunked transfer encoding extension values | 3.5.9-funcrel |
| auth-service | CVE-2026-33871 | HIGH | netty: Netty: Denial of Service via HTTP/2 CONTINUATION frame flood | 3.5.9-funcrel |
| auth-service | CVE-2026-40200 | HIGH | musl: musl libc: Arbitrary code execution and denial of service via stack-based memory corruption in qsort | 3.5.9-funcrel |
| console | CVE-2026-22184 | HIGH | zlib: zlib: Arbitrary code execution via buffer overflow in untgz utility | 3.5.9-funcrel |
| console | CVE-2026-33870 | HIGH | io.netty/netty-codec-http: Netty: Request smuggling via incorrect parsing of HTTP/1.1 chunked transfer encoding extension values | 3.5.9-funcrel |
| console | CVE-2026-33871 | HIGH | netty: Netty: Denial of Service via HTTP/2 CONTINUATION frame flood | 3.5.9-funcrel |
| console | CVE-2026-40200 | HIGH | musl: musl libc: Arbitrary code execution and denial of service via stack-based memory corruption in qsort | 3.5.9-funcrel |
| dashboards-v3 | CVE-2026-22732 | CRITICAL | Spring Security: Spring Security: Security policy bypass and information disclosure due to unwritten HTTP headers | 3.5.9-funcrel |
| dashboards-v3 | CVE-2026-24734 | HIGH | tomcat: Apache Tomcat: Certificate revocation bypass due to improper OCSP response validation | 3.5.9-funcrel |
| etl-service | CVE-2026-25679 | HIGH | net/url: Incorrect parsing of IPv6 host literals in net/url | 3.5.9-funcrel |
| etl-service | CVE-2026-28390 | HIGH | openssl: OpenSSL: Denial of Service due to NULL pointer dereference in CMS EnvelopedData processing | 3.5.9-funcrel |
| etl-service | CVE-2026-40200 | HIGH | musl: musl libc: Arbitrary code execution and denial of service via stack-based memory corruption in qsort | 3.5.9-funcrel |
| gateway | CVE-2026-22184 | HIGH | zlib: zlib: Arbitrary code execution via buffer overflow in untgz utility | 3.5.9-funcrel |
| gateway | CVE-2026-29129 | HIGH | Apache Tomcat: Apache Tomcat: Configured cipher preference order not preserved | 3.5.9-funcrel |
| gateway | CVE-2026-29145 | CRITICAL | Apache Tomcat: Apache Tomcat: Authentication bypass due to CLIENT_CERT soft fail misconfiguration | 3.5.9-funcrel |
| gateway | CVE-2026-33870 | HIGH | io.netty/netty-codec-http: Netty: Request smuggling via incorrect parsing of HTTP/1.1 chunked transfer encoding extension values | 3.5.9-funcrel |
| gateway | CVE-2026-33871 | HIGH | netty: Netty: Denial of Service via HTTP/2 CONTINUATION frame flood | 3.5.9-funcrel |
| gateway | CVE-2026-34483 | HIGH | Apache Tomcat: Apache Tomcat: Information disclosure due to improper encoding in JsonAccessLogValve | 3.5.9-funcrel |
| gateway | CVE-2026-34487 | HIGH | Apache Tomcat: Apache Tomcat: Information disclosure via sensitive data in log files | 3.5.9-funcrel |
| gateway | CVE-2026-40200 | HIGH | musl: musl libc: Arbitrary code execution and denial of service via stack-based memory corruption in qsort | 3.5.9-funcrel |
| sso-service | CVE-2026-2603 | HIGH | keycloak: Keycloak: Unauthorized authentication via disabled SAML Identity Provider | 3.5.9-funcrel |
| sso-service | CVE-2026-3872 | HIGH | keycloak: Keycloak: Information disclosure due to redirect_uri validation bypass | 3.5.9-funcrel |
| sso-service | CVE-2026-4282 | HIGH | keycloak: Keycloak: Privilege escalation via forged authorization codes due to SingleUseObjectProvider isolation flaw | 3.5.9-funcrel |
| sso-service | CVE-2026-4634 | HIGH | keycloak: Keycloak: Denial of Service via excessive processing of OpenID Connect scope parameters | 3.5.9-funcrel |
| sso-service | CVE-2026-4636 | HIGH | keycloak: Keycloak: UMA policy bypass allows authenticated users to gain unauthorized access to victim-owned resources. | 3.5.9-funcrel |
| viewer | CVE-2026-22184 | HIGH | zlib: zlib: Arbitrary code execution via buffer overflow in untgz utility | 3.5.9-funcrel |
| viewer | CVE-2026-25679 | HIGH | net/url: Incorrect parsing of IPv6 host literals in net/url | 3.5.9-funcrel |
| viewer | CVE-2026-28390 | HIGH | openssl: OpenSSL: Denial of Service due to NULL pointer dereference in CMS EnvelopedData processing | 3.5.9-funcrel |
| viewer | CVE-2026-40200 | HIGH | musl: musl libc: Arbitrary code execution and denial of service via stack-based memory corruption in qsort | 3.5.9-funcrel |
Known security issues (not yet fixed)
| CAST service | CVE | Severity | Description/Package | Affected CAST release |
|---|---|---|---|---|
| ai-service | CVE-2025-69720 | HIGH | ncurses: ncurses: Buffer overflow vulnerability may lead to arbitrary code execution. | 3.6.0 |
| ai-service | CVE-2026-23949 | HIGH | jaraco.context: jaraco.context: Path traversal via malicious tar archives | 3.6.0 |
| ai-service | CVE-2026-24049 | HIGH | wheel: wheel: Privilege Escalation or Arbitrary Code Execution via malicious wheel file unpacking | 3.6.0 |
| ai-service | CVE-2026-34070 | HIGH | langchain: path traversal in legacy load_prompt functions in langchain-core | 3.6.0 |
| analysis-node | CVE-2025-67030 | HIGH | org.codehaus.plexus:plexus-utils: Plexus-utils: Directory Traversal in extractFile method | 3.6.0_core8.4.10 |
| auth-service | CVE-2026-40477 | CRITICAL | Improper restriction of the scope of accessible objects in Thymeleaf expressions | 3.6.0 |
| auth-service | CVE-2026-40478 | CRITICAL | Improper neutralization of specific syntax patterns for unauthorized expressions in Thymeleaf | 3.6.0 |
| dashboards-v3 | CVE-2026-29129 | HIGH | Apache Tomcat: Apache Tomcat: Configured cipher preference order not preserved | 3.6.0 |
| dashboards-v3 | CVE-2026-29145 | CRITICAL | Apache Tomcat: Apache Tomcat: Authentication bypass due to CLIENT_CERT soft fail misconfiguration | 3.6.0 |
| dashboards-v3 | CVE-2026-34483 | HIGH | Apache Tomcat: Apache Tomcat: Information disclosure due to improper encoding in JsonAccessLogValve | 3.6.0 |
| dashboards-v3 | CVE-2026-34487 | HIGH | Apache Tomcat: Apache Tomcat: Information disclosure via sensitive data in log files | 3.6.0 |
| etl-service | CVE-2026-32280 | HIGH | During chain building, the amount of work that is done is not correctl … | 3.6.0 |
| etl-service | CVE-2026-32282 | HIGH | golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root | 3.6.0 |
| gateway | CVE-2026-40477 | CRITICAL | Improper restriction of the scope of accessible objects in Thymeleaf expressions | 3.6.0 |
| gateway | CVE-2026-40478 | CRITICAL | Improper neutralization of specific syntax patterns for unauthorized expressions in Thymeleaf | 3.6.0 |
| neo4j | CVE-2025-69720 | HIGH | ncurses: ncurses: Buffer overflow vulnerability may lead to arbitrary code execution. | 3.6.0 |
| neo4j | CVE-2026-1605 | HIGH | org.eclipse.jetty/jetty-server: Eclipse Jetty: Denial of Service due to unreleased JDK Inflater from compressed HTTP requests | 3.6.0 |
| neo4j | CVE-2026-2332 | HIGH | org.eclipse.jetty/jetty-http: HTTP request smuggling via chunked extension quoted-string parsing | 3.6.0 |
| neo4j | CVE-2026-29111 | HIGH | systemd: systemd: Arbitrary code execution or Denial of Service via spurious IPC API call data | 3.6.0 |
| neo4j | CVE-2026-32280 | HIGH | During chain building, the amount of work that is done is not correctl … | 3.6.0 |
| neo4j | CVE-2026-32282 | HIGH | golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root | 3.6.0 |
| neo4j | CVE-2026-33870 | HIGH | io.netty/netty-codec-http: Netty: Request smuggling via incorrect parsing of HTTP/1.1 chunked transfer encoding extension values | 3.6.0 |
| neo4j | CVE-2026-33871 | HIGH | netty: Netty: Denial of Service via HTTP/2 CONTINUATION frame flood | 3.6.0 |
| sso-service | CVE-2025-59250 | HIGH | JDBC Driver for SQL Server has improper input validation issue | 3.6.0 |
| sso-service | CVE-2025-66293 | HIGH | libpng: LIBPNG out-of-bounds read in png_image_read_composite | 3.6.0 |
| sso-service | CVE-2026-25646 | HIGH | libpng: LIBPNG has a heap buffer overflow in png_set_quantize | 3.6.0 |
| sso-service | CVE-2026-26740 | HIGH | giflib: giflib: Denial of Service via buffer overflow in EGifGCBToExtension | 3.6.0 |
| sso-service | CVE-2026-33870 | HIGH | io.netty/netty-codec-http: Netty: Request smuggling via incorrect parsing of HTTP/1.1 chunked transfer encoding extension values | 3.6.0 |
| sso-service | CVE-2026-33871 | HIGH | netty: Netty: Denial of Service via HTTP/2 CONTINUATION frame flood | 3.6.0 |
| sso-service | CVE-2026-4878 | HIGH | libcap: libcap: Privilege escalation via TOCTOU race condition in cap_set_file() | 3.6.0 |
| viewer | CVE-2026-32280 | HIGH | During chain building, the amount of work that is done is not correctl … | 3.6.0 |
| viewer | CVE-2026-32282 | HIGH | golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root | 3.6.0 |
Critical CVEs on Auth Service and Gateway (CVE-2026-40477 and CVE-2026-40478) were reported during our release window. The library is included but is not used to serve any content or to generate any templates so the risk is very low. These CVEs will be resolved in 3.6.1.
In sso-service, CVE-2025-59250 is actually a false positive, as the MSSQL JDBC driver already includes the fix for the given CVE, however our scanner expects the version to be 13.2.1.jre while the included version found is 13.2.1. Other CVEs are expected to be fixed in 3.6.1 as we update the base Keycloak image.