3.6 - Security fixes
3.6.1-funcrel
Fixes provided
| CAST service | CVE | Severity | Description/Package | Affected CAST release |
|---|---|---|---|---|
| ai-service | CVE-2026-23949 | HIGH | jaraco.context: jaraco.context: Path traversal via malicious tar archives | 3.6.0 |
| ai-service | CVE-2026-24049 | HIGH | wheel: wheel: Privilege Escalation or Arbitrary Code Execution via malicious wheel file unpacking | 3.6.0 |
| ai-service | CVE-2026-34070 | HIGH | langchain: path traversal in legacy load_prompt functions in langchain-core | 3.6.0 |
| analysis-node | CVE-2026-27135 | HIGH | nghttp2: nghttp2: Denial of Service via malformed HTTP/2 frames after session termination | 3.6.0_core8.4.10 |
| analysis-node | CVE-2026-32178 | HIGH | dotnet: Dotnet: SMTP Command Injection and Header Injection via MailAddress parsing flaw | 3.6.0_core8.4.10 |
| analysis-node | CVE-2026-32203 | HIGH | dotnet: .NET: Denial of Service via stack overflow | 3.6.0_core8.4.10 |
| analysis-node | CVE-2026-41066 | HIGH | lxml is a library for processing XML and HTML in the Python language. … | 3.6.0_core8.4.10 |
| analysis-node | CVE-2026-4424 | HIGH | libarchive: libarchive: Information disclosure via heap out-of-bounds read in RAR archive processing | 3.6.0_core8.4.10 |
| analysis-node | CVE-2026-5121 | HIGH | libarchive: libarchive: Arbitrary code execution via integer overflow in ISO9660 image processing | 3.6.0_core8.4.10 |
| auth-service | CVE-2026-40477 | CRITICAL | thymeleaf: Thymeleaf: Server-Side Template Injection via security bypass in expression execution | 3.6.0 |
| auth-service | CVE-2026-40478 | CRITICAL | thymeleaf: Thymeleaf: Server-Side Template Injection via expression execution bypass | 3.6.0 |
| dashboards-v3 | CVE-2026-29129 | HIGH | Apache Tomcat: Apache Tomcat: Configured cipher preference order not preserved | 3.6.0 |
| dashboards-v3 | CVE-2026-29145 | CRITICAL | Apache Tomcat: Apache Tomcat: Authentication bypass due to CLIENT_CERT soft fail misconfiguration | 3.6.0 |
| dashboards-v3 | CVE-2026-34483 | HIGH | Apache Tomcat: Apache Tomcat: Information disclosure due to improper encoding in JsonAccessLogValve | 3.6.0 |
| dashboards-v3 | CVE-2026-34487 | HIGH | Apache Tomcat: Apache Tomcat: Information disclosure via sensitive data in log files | 3.6.0 |
| etl-service | CVE-2026-32280 | HIGH | crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building | 3.6.0 |
| etl-service | CVE-2026-32281 | HIGH | crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation | 3.6.0 |
| etl-service | CVE-2026-32283 | HIGH | If one side of the TLS connection sends multiple key update messages p … | 3.6.0 |
| gateway | CVE-2026-40477 | CRITICAL | thymeleaf: Thymeleaf: Server-Side Template Injection via security bypass in expression execution | 3.6.0 |
| gateway | CVE-2026-40478 | CRITICAL | thymeleaf: Thymeleaf: Server-Side Template Injection via expression execution bypass | 3.6.0 |
| neo4j | CVE-2026-1605 | HIGH | org.eclipse.jetty/jetty-server: Eclipse Jetty: Denial of Service due to unreleased JDK Inflater from compressed HTTP requests | 3.6.0 |
| neo4j | CVE-2026-2332 | HIGH | org.eclipse.jetty/jetty-http: HTTP request smuggling via chunked extension quoted-string parsing | 3.6.0 |
| neo4j | CVE-2026-32280 | HIGH | crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building | 3.6.0 |
| neo4j | CVE-2026-32281 | HIGH | crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation | 3.6.0 |
| neo4j | CVE-2026-32283 | HIGH | If one side of the TLS connection sends multiple key update messages p … | 3.6.0 |
| neo4j | CVE-2026-33870 | HIGH | io.netty/netty-codec-http: Netty: Request smuggling via incorrect parsing of HTTP/1.1 chunked transfer encoding extension values | 3.6.0 |
| sso-service | CVE-2025-66293 | HIGH | libpng: LIBPNG out-of-bounds read in png_image_read_composite | 3.6.0 |
| sso-service | CVE-2026-22016 | HIGH | openjdk: OpenJDK: Enhance Path Factories Redux (Oracle CPU 2026-04) | 3.6.0 |
| sso-service | CVE-2026-22020 | HIGH | openjdk: OpenJDK: Update LibPNG (Oracle CPU 2026-04) | 3.6.0 |
| sso-service | CVE-2026-25646 | HIGH | libpng: LIBPNG has a heap buffer overflow in png_set_quantize | 3.6.0 |
| sso-service | CVE-2026-26740 | HIGH | giflib: giflib: Denial of Service via buffer overflow in EGifGCBToExtension | 3.6.0 |
| sso-service | CVE-2026-33870 | HIGH | io.netty/netty-codec-http: Netty: Request smuggling via incorrect parsing of HTTP/1.1 chunked transfer encoding extension values | 3.6.0 |
| sso-service | CVE-2026-33871 | HIGH | netty: Netty: Denial of Service via HTTP/2 CONTINUATION frame flood | 3.6.0 |
| sso-service | CVE-2026-34282 | HIGH | openjdk: OpenJDK: Enhance TLS connection handling (Oracle CPU 2026-04) | 3.6.0 |
| sso-service | CVE-2026-4878 | HIGH | libcap: libcap: Privilege escalation via TOCTOU race condition in cap_set_file() | 3.6.0 |
| viewer | CVE-2026-32280 | HIGH | crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building | 3.6.0 |
| viewer | CVE-2026-32281 | HIGH | crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation | 3.6.0 |
| viewer | CVE-2026-32283 | HIGH | If one side of the TLS connection sends multiple key update messages p … | 3.6.0 |
Known security issues (not yet fixed)
| CAST service | CVE | Severity | Description/Package | Affected CAST release |
|---|---|---|---|---|
| ai-service | CVE-2025-69720 | HIGH | ncurses: ncurses: Buffer overflow vulnerability may lead to arbitrary code execution. | 3.6.1 |
| ai-service | CVE-2026-3298 | HIGH | python: The method “sock_recvfrom_into()” of “asyncio.ProacterEventLoop” (Windows only) was missing a boundary check… | 3.6.1 |
| ai-service | CVE-2026-4786 | HIGH | pyhton: Mitigation of CVE-2026-4519 was incomplete. If the URL contained “%action” the mitigation could be bypassed… | 3.6.1 |
| ai-service | CVE-2026-5435 | HIGH | glibc: The deprecated functions ns_printrrf, ns_printrr and fp_nquery in the GNU C Library version 2.2 and newer… | 3.6.1 |
| ai-service | CVE-2026-6100 | CRITICAL | python: Use-after-free (UAF) was possible in the lzma.LZMADecompressor, bz2.BZ2Decompressor, and gzip.GzipFile… | 3.6.1 |
| analysis-node | CVE-2025-26646 | HIGH | dotnet: .NET and Visual Studio Spoofing Vulnerability | 3.6.1_core8.4.10 |
| analysis-node | CVE-2025-55247 | HIGH | dotnet: .NET Denial of Service Vulnerability | 3.6.1_core8.4.10 |
| analysis-node | CVE-2025-67030 | HIGH | org.codehaus.plexus:plexus-utils: Plexus-utils: Directory Traversal in extractFile method | 3.6.1_core8.4.10 |
| analysis-node | CVE-2025-69720 | HIGH | ncurses: ncurses: Buffer overflow vulnerability may lead to arbitrary code execution. | 3.6.1_core8.4.10 |
| analysis-node | CVE-2026-23949 | HIGH | jaraco.context: jaraco.context: Path traversal via malicious tar archives | 3.6.1_core8.4.10 |
| analysis-node | CVE-2026-24049 | HIGH | wheel: wheel: Privilege Escalation or Arbitrary Code Execution via malicious wheel file unpacking | 3.6.1_core8.4.10 |
| analysis-node | CVE-2026-26171 | HIGH | dotnet: .NET: Security Bypass and Denial of Service Vulnerability | 3.6.1_core8.4.10 |
| analysis-node | CVE-2026-29111 | HIGH | systemd: systemd: Arbitrary code execution or Denial of Service via spurious IPC API call data | 3.6.1_core8.4.10 |
| analysis-node | CVE-2026-33116 | HIGH | dotnet: .NET: Denial of Service via Infinite Recursion in XmlDecryptionTransform | 3.6.1_core8.4.10 |
| etl-service | CVE-2026-32316 | HIGH | jq: An integer overflow vulnerability exists through version 1.8.1 … | 3.6.1 |
| etl-service | CVE-2026-35385 | HIGH | openssh: In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid … | 3.6.1 |
| etl-service | CVE-2026-3805 | HIGH | curl: When doing a second SMB request to the same host again, curl would wrongly use a data pointer pointing into already freed memory. | 3.6.1 |
| imaging-apis | CVE-2026-32316 | HIGH | jq: An integer overflow vulnerability exists through version 1.8.1 … | 3.6.1 |
| imaging-apis | CVE-2026-3805 | HIGH | curl: When doing a second SMB request to the same host again, curl would wrongly use a data pointer pointing into already freed memory. | 3.6.1 |
| neo4j | CVE-2025-15281 | HIGH | … | 3.6.1 |
| neo4j | CVE-2025-69720 | HIGH | ncurses: ncurses: Buffer overflow vulnerability may lead to arbitrary code execution. | 3.6.1 |
| neo4j | CVE-2026-0861 | HIGH | glibc: Integer overflow in memalign leads to heap corruption | 3.6.1 |
| neo4j | CVE-2026-0915 | HIGH | … | 3.6.1 |
| neo4j | CVE-2026-29111 | HIGH | systemd: systemd: Arbitrary code execution or Denial of Service via spurious IPC API call data | 3.6.1 |
| neo4j | CVE-2026-33871 | HIGH | netty: Netty: Denial of Service via HTTP/2 CONTINUATION frame flood | 3.6.1 |
| neo4j | CVE-2026-5435 | HIGH | glibc: The deprecated functions ns_printrrf, ns_printrr and fp_nquery in the GNU C Library version 2.2 and newer… | 3.6.1 |
| neo4j | GHSA-72hv-8253-57qq | HIGH | jackson-core: The non-blocking (async) JSON parser bypasses the maxNumberLength constraint … | 3.6.1 |
| sso-service | CVE-2025-59250 | HIGH | JDBC Driver for SQL Server has improper input validation issue | 3.6.1 |
| sso-service | CVE-2025-69720 | HIGH | ncurses: ncurses: Buffer overflow vulnerability may lead to arbitrary code execution. | 3.6.1 |
| sso-service | CVE-2026-2603 | HIGH | keycloak: Keycloak: Unauthorized authentication via disabled SAML Identity Provider | 3.6.1 |
| sso-service | CVE-2026-29111 | HIGH | systemd: systemd: Arbitrary code execution or Denial of Service via spurious IPC API call data | 3.6.1 |
SSO Service image is based on the Docker Hardened variant of Keycloak 26.5.7. Following security analysis done by Docker Team on this base image and VEX attestation records, the following CVEs were marked as “Not Affected”:
- CVE-2025-59250 - Docker Scout Team comment: False positive. The image ships mssql-jdbc 13.2.1.jre11, which the advisory lists as the fixed version. Scout strips the .jre11 classifier in its SBOM, so an additional statement is required to match the bare 13.2.1 PURL.
- CVE-2025-69720 - Docker Scout Team comment: Debian NODSA
- CVE-2026-29111 - Docker Scout Team comment: Debian NODSA
Analysis node fixes are targeted for CAST Imaging Core 8.4.11. The impacts of the changes require further testing to avoid regression, but would have long delayed releases of other images and their related security fixes.
CVE-2026-29111 and CVE-2025-69720 are shared with the SSO Service and are reported by the Docker Scout team as “no-DSA”, a status for CVEs in Debian for issues not requiring an immediate fix:
- CVE-2026-29111 - Debian Security Team considers this CVE as Minor.
- CVE-2025-69720 - Debian NODSA.
AI service image is based on Python Docker Hardened image. According to the suppressed CVEs on this image, most of the known CVEs above have been annotated as “Not Affected”; i.e. Trivy is reporting these issues but they are already fixed, mitigated or are not considered as severe as the CVSS score might suggest.
- CVE-2026-6100: Marked as “Under investigation” and “Not affected” on the same day. Docker Scout Comments: “Under investigation”: Waiting for upstream fix; no fixed version is available yet. “Not affected”: DHI backport applied; follow-up to CVE-2026-4519.
- CVE-2026-3298: Not affected. Docker Scout Comment: DHI backport applied; upstream fix adds boundary check to asyncio.AbstractEventLoop.sock_recvfrom_into() to prevent buffer overflow on Windows.
- CVE-2026-4786: Marked as “Under investigation” and “Not affected” on the same day. Docker Scout Comments: “Under investigation”: Waiting for upstream fix; no fixed version is available yet. “Not affected”: DHI backport applied; follow-up to CVE-2026-4519.
- CVE-2026-5435: “Under investigation”. Docker Scout Comment: No fixed version available from Debian yet. Waiting for upstream glibc/trixie security update.
- CVE-2025-69720: “Not affected”. Docker Scout Comment: Debian NODSA.
Neo4j image is based upon the Docker Hardened Image Debian 13 base. Most system level CVEs reported by tools like Trivy, Grype or Docker Scout are marked as “Not affected” or “Under investigation”. This includes CVE-2026-29111 and CVE-2025-69720. Regarding CVE-2026-33871 and GHSA-72hv-8253-57qq, these require fixes in the neo4j package.
3.6.0-funcrel
Fixes provided
| CAST service | CVE | Severity | Description/Package | Affected CAST release |
|---|---|---|---|---|
| admin-center | CVE-2026-22184 | HIGH | zlib: zlib: Arbitrary code execution via buffer overflow in untgz utility | 3.5.9-funcrel |
| admin-center | CVE-2026-22739 | HIGH | Spring Cloud Config Server: Path Traversal via Profile Parameter Allows Arbitrary File Access | 3.5.9-funcrel |
| admin-center | CVE-2026-29129 | HIGH | Apache Tomcat: Apache Tomcat: Configured cipher preference order not preserved | 3.5.9-funcrel |
| admin-center | CVE-2026-29145 | CRITICAL | Apache Tomcat: Apache Tomcat: Authentication bypass due to CLIENT_CERT soft fail misconfiguration | 3.5.9-funcrel |
| admin-center | CVE-2026-33870 | HIGH | io.netty/netty-codec-http: Netty: Request smuggling via incorrect parsing of HTTP/1.1 chunked transfer encoding extension values | 3.5.9-funcrel |
| admin-center | CVE-2026-33871 | HIGH | netty: Netty: Denial of Service via HTTP/2 CONTINUATION frame flood | 3.5.9-funcrel |
| admin-center | CVE-2026-34197 | HIGH | org.apache.activemq/activemq-broker: org.apache.activemq/activemq-all: Apache ActiveMQ: Arbitrary Code Execution via crafted discovery URI in Jolokia JMX-HTTP bridge | 3.5.9-funcrel |
| admin-center | CVE-2026-34483 | HIGH | Apache Tomcat: Apache Tomcat: Information disclosure due to improper encoding in JsonAccessLogValve | 3.5.9-funcrel |
| admin-center | CVE-2026-34487 | HIGH | Apache Tomcat: Apache Tomcat: Information disclosure via sensitive data in log files | 3.5.9-funcrel |
| admin-center | CVE-2026-39304 | HIGH | Apache ActiveMQ Client: Apache ActiveMQ Broker: Apache ActiveMQ: Apache ActiveMQ: Denial of Service due to TLSv1.3 KeyUpdate memory exhaustion | 3.5.9-funcrel |
| admin-center | CVE-2026-40200 | HIGH | musl: musl libc: Arbitrary code execution and denial of service via stack-based memory corruption in qsort | 3.5.9-funcrel |
| ai-service | CVE-2026-0861 | HIGH | glibc: Integer overflow in memalign leads to heap corruption | 3.5.9-funcrel |
| ai-service | CVE-2026-29111 | HIGH | systemd: systemd: Arbitrary code execution or Denial of Service via spurious IPC API call data | 3.5.9-funcrel |
| analysis-node | CVE-2026-28417 | HIGH | vim: Vim: Arbitrary code execution via OS command injection in the netrw plugin | 3.5.9_core8.4.10 |
| analysis-node | CVE-2026-28421 | HIGH | vim: Vim: Denial of service and information disclosure via crafted swap file | 3.5.9_core8.4.10 |
| analysis-node | CVE-2026-33412 | HIGH | vim: Vim: Arbitrary code execution via command injection in glob() function | 3.5.9_core8.4.10 |
| auth-service | CVE-2026-22184 | HIGH | zlib: zlib: Arbitrary code execution via buffer overflow in untgz utility | 3.5.9-funcrel |
| auth-service | CVE-2026-22732 | CRITICAL | Spring Security: Spring Security: Security policy bypass and information disclosure due to unwritten HTTP headers | 3.5.9-funcrel |
| auth-service | CVE-2026-33870 | HIGH | io.netty/netty-codec-http: Netty: Request smuggling via incorrect parsing of HTTP/1.1 chunked transfer encoding extension values | 3.5.9-funcrel |
| auth-service | CVE-2026-33871 | HIGH | netty: Netty: Denial of Service via HTTP/2 CONTINUATION frame flood | 3.5.9-funcrel |
| auth-service | CVE-2026-40200 | HIGH | musl: musl libc: Arbitrary code execution and denial of service via stack-based memory corruption in qsort | 3.5.9-funcrel |
| console | CVE-2026-22184 | HIGH | zlib: zlib: Arbitrary code execution via buffer overflow in untgz utility | 3.5.9-funcrel |
| console | CVE-2026-33870 | HIGH | io.netty/netty-codec-http: Netty: Request smuggling via incorrect parsing of HTTP/1.1 chunked transfer encoding extension values | 3.5.9-funcrel |
| console | CVE-2026-33871 | HIGH | netty: Netty: Denial of Service via HTTP/2 CONTINUATION frame flood | 3.5.9-funcrel |
| console | CVE-2026-40200 | HIGH | musl: musl libc: Arbitrary code execution and denial of service via stack-based memory corruption in qsort | 3.5.9-funcrel |
| dashboards-v3 | CVE-2026-22732 | CRITICAL | Spring Security: Spring Security: Security policy bypass and information disclosure due to unwritten HTTP headers | 3.5.9-funcrel |
| dashboards-v3 | CVE-2026-24734 | HIGH | tomcat: Apache Tomcat: Certificate revocation bypass due to improper OCSP response validation | 3.5.9-funcrel |
| etl-service | CVE-2026-25679 | HIGH | net/url: Incorrect parsing of IPv6 host literals in net/url | 3.5.9-funcrel |
| etl-service | CVE-2026-28390 | HIGH | openssl: OpenSSL: Denial of Service due to NULL pointer dereference in CMS EnvelopedData processing | 3.5.9-funcrel |
| etl-service | CVE-2026-40200 | HIGH | musl: musl libc: Arbitrary code execution and denial of service via stack-based memory corruption in qsort | 3.5.9-funcrel |
| gateway | CVE-2026-22184 | HIGH | zlib: zlib: Arbitrary code execution via buffer overflow in untgz utility | 3.5.9-funcrel |
| gateway | CVE-2026-29129 | HIGH | Apache Tomcat: Apache Tomcat: Configured cipher preference order not preserved | 3.5.9-funcrel |
| gateway | CVE-2026-29145 | CRITICAL | Apache Tomcat: Apache Tomcat: Authentication bypass due to CLIENT_CERT soft fail misconfiguration | 3.5.9-funcrel |
| gateway | CVE-2026-33870 | HIGH | io.netty/netty-codec-http: Netty: Request smuggling via incorrect parsing of HTTP/1.1 chunked transfer encoding extension values | 3.5.9-funcrel |
| gateway | CVE-2026-33871 | HIGH | netty: Netty: Denial of Service via HTTP/2 CONTINUATION frame flood | 3.5.9-funcrel |
| gateway | CVE-2026-34483 | HIGH | Apache Tomcat: Apache Tomcat: Information disclosure due to improper encoding in JsonAccessLogValve | 3.5.9-funcrel |
| gateway | CVE-2026-34487 | HIGH | Apache Tomcat: Apache Tomcat: Information disclosure via sensitive data in log files | 3.5.9-funcrel |
| gateway | CVE-2026-40200 | HIGH | musl: musl libc: Arbitrary code execution and denial of service via stack-based memory corruption in qsort | 3.5.9-funcrel |
| sso-service | CVE-2026-2603 | HIGH | keycloak: Keycloak: Unauthorized authentication via disabled SAML Identity Provider | 3.5.9-funcrel |
| sso-service | CVE-2026-3872 | HIGH | keycloak: Keycloak: Information disclosure due to redirect_uri validation bypass | 3.5.9-funcrel |
| sso-service | CVE-2026-4282 | HIGH | keycloak: Keycloak: Privilege escalation via forged authorization codes due to SingleUseObjectProvider isolation flaw | 3.5.9-funcrel |
| sso-service | CVE-2026-4634 | HIGH | keycloak: Keycloak: Denial of Service via excessive processing of OpenID Connect scope parameters | 3.5.9-funcrel |
| sso-service | CVE-2026-4636 | HIGH | keycloak: Keycloak: UMA policy bypass allows authenticated users to gain unauthorized access to victim-owned resources. | 3.5.9-funcrel |
| viewer | CVE-2026-22184 | HIGH | zlib: zlib: Arbitrary code execution via buffer overflow in untgz utility | 3.5.9-funcrel |
| viewer | CVE-2026-25679 | HIGH | net/url: Incorrect parsing of IPv6 host literals in net/url | 3.5.9-funcrel |
| viewer | CVE-2026-28390 | HIGH | openssl: OpenSSL: Denial of Service due to NULL pointer dereference in CMS EnvelopedData processing | 3.5.9-funcrel |
| viewer | CVE-2026-40200 | HIGH | musl: musl libc: Arbitrary code execution and denial of service via stack-based memory corruption in qsort | 3.5.9-funcrel |
Known security issues (not yet fixed)
| CAST service | CVE | Severity | Description/Package | Affected CAST release |
|---|---|---|---|---|
| ai-service | CVE-2025-69720 | HIGH | ncurses: ncurses: Buffer overflow vulnerability may lead to arbitrary code execution. | 3.6.0 |
| ai-service | CVE-2026-23949 | HIGH | jaraco.context: jaraco.context: Path traversal via malicious tar archives | 3.6.0 |
| ai-service | CVE-2026-24049 | HIGH | wheel: wheel: Privilege Escalation or Arbitrary Code Execution via malicious wheel file unpacking | 3.6.0 |
| ai-service | CVE-2026-34070 | HIGH | langchain: path traversal in legacy load_prompt functions in langchain-core | 3.6.0 |
| analysis-node | CVE-2025-67030 | HIGH | org.codehaus.plexus:plexus-utils: Plexus-utils: Directory Traversal in extractFile method | 3.6.0_core8.4.10 |
| auth-service | CVE-2026-40477 | CRITICAL | Improper restriction of the scope of accessible objects in Thymeleaf expressions | 3.6.0 |
| auth-service | CVE-2026-40478 | CRITICAL | Improper neutralization of specific syntax patterns for unauthorized expressions in Thymeleaf | 3.6.0 |
| dashboards-v3 | CVE-2026-29129 | HIGH | Apache Tomcat: Apache Tomcat: Configured cipher preference order not preserved | 3.6.0 |
| dashboards-v3 | CVE-2026-29145 | CRITICAL | Apache Tomcat: Apache Tomcat: Authentication bypass due to CLIENT_CERT soft fail misconfiguration | 3.6.0 |
| dashboards-v3 | CVE-2026-34483 | HIGH | Apache Tomcat: Apache Tomcat: Information disclosure due to improper encoding in JsonAccessLogValve | 3.6.0 |
| dashboards-v3 | CVE-2026-34487 | HIGH | Apache Tomcat: Apache Tomcat: Information disclosure via sensitive data in log files | 3.6.0 |
| etl-service | CVE-2026-32280 | HIGH | During chain building, the amount of work that is done is not correctl … | 3.6.0 |
| etl-service | CVE-2026-32282 | HIGH | golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root | 3.6.0 |
| gateway | CVE-2026-40477 | CRITICAL | Improper restriction of the scope of accessible objects in Thymeleaf expressions | 3.6.0 |
| gateway | CVE-2026-40478 | CRITICAL | Improper neutralization of specific syntax patterns for unauthorized expressions in Thymeleaf | 3.6.0 |
| neo4j | CVE-2025-69720 | HIGH | ncurses: ncurses: Buffer overflow vulnerability may lead to arbitrary code execution. | 3.6.0 |
| neo4j | CVE-2026-1605 | HIGH | org.eclipse.jetty/jetty-server: Eclipse Jetty: Denial of Service due to unreleased JDK Inflater from compressed HTTP requests | 3.6.0 |
| neo4j | CVE-2026-2332 | HIGH | org.eclipse.jetty/jetty-http: HTTP request smuggling via chunked extension quoted-string parsing | 3.6.0 |
| neo4j | CVE-2026-29111 | HIGH | systemd: systemd: Arbitrary code execution or Denial of Service via spurious IPC API call data | 3.6.0 |
| neo4j | CVE-2026-32280 | HIGH | During chain building, the amount of work that is done is not correctl … | 3.6.0 |
| neo4j | CVE-2026-32282 | HIGH | golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root | 3.6.0 |
| neo4j | CVE-2026-33870 | HIGH | io.netty/netty-codec-http: Netty: Request smuggling via incorrect parsing of HTTP/1.1 chunked transfer encoding extension values | 3.6.0 |
| neo4j | CVE-2026-33871 | HIGH | netty: Netty: Denial of Service via HTTP/2 CONTINUATION frame flood | 3.6.0 |
| sso-service | CVE-2025-59250 | HIGH | JDBC Driver for SQL Server has improper input validation issue | 3.6.0 |
| sso-service | CVE-2025-66293 | HIGH | libpng: LIBPNG out-of-bounds read in png_image_read_composite | 3.6.0 |
| sso-service | CVE-2026-25646 | HIGH | libpng: LIBPNG has a heap buffer overflow in png_set_quantize | 3.6.0 |
| sso-service | CVE-2026-26740 | HIGH | giflib: giflib: Denial of Service via buffer overflow in EGifGCBToExtension | 3.6.0 |
| sso-service | CVE-2026-33870 | HIGH | io.netty/netty-codec-http: Netty: Request smuggling via incorrect parsing of HTTP/1.1 chunked transfer encoding extension values | 3.6.0 |
| sso-service | CVE-2026-33871 | HIGH | netty: Netty: Denial of Service via HTTP/2 CONTINUATION frame flood | 3.6.0 |
| sso-service | CVE-2026-4878 | HIGH | libcap: libcap: Privilege escalation via TOCTOU race condition in cap_set_file() | 3.6.0 |
| viewer | CVE-2026-32280 | HIGH | During chain building, the amount of work that is done is not correctl … | 3.6.0 |
| viewer | CVE-2026-32282 | HIGH | golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root | 3.6.0 |
Critical CVEs on Auth Service and Gateway (CVE-2026-40477 and CVE-2026-40478) were reported during our release window. The library is included but is not used to serve any content or to generate any templates so the risk is very low. These CVEs will be resolved in 3.6.1.
In sso-service, CVE-2025-59250 is actually a false positive, as the MSSQL JDBC driver already includes the fix for the given CVE, however our scanner expects the version to be 13.2.1.jre while the included version found is 13.2.1. Other CVEs are expected to be fixed in 3.6.1 as we update the base Keycloak image.