Hi Vivek, On June 25th, Apache Kafka 4.3.1 was released and is available for use Of the CVEs you mentioned: Kafka Core - CVE-2026-41115 -> Fixed in 4.3.1 (documentation update) OpenTelemetry - CVE-2026-39882 -> seems to refer to opentelemetry-go and we use opentelemetry-proto only - CVE-2026-41078 -> seems to refer to opentelemetry-dotnet, we use opentelemetry-proto only - CVE-2026-40894 -> seems to refer to opentelemetry-dotnet, we use opentelemetry-proto only - CVE-2026-44967 -> seems to refer to opentelemetry-c++, we use opentelemetry-proto only JLine - GHSA-2r2c-cx56-8933 -> seems to refer to JLine-telnet. We don't use this submodule - GHSA-47qp-hqvx-6r3f -> seems to refer to JLine-telnet. We don't use this submodule - XRAY-1005950 and XRAY-1005951 -> these appear to be JFrog Xray internal database identifiers rather than CVEs, so we can't look them up publicly. Could you share the affected component and version from your scanner report? They may correspond to the two JLine GHSA advisories above, which never received CVE IDs. Jackson - CVE-2026-54512 -> We still have a dependency affected by this CVE - CVE-2026-54513 -> We still have a dependency affected by this CVE - CVE-2026-54514 -> We still have a dependency affected by this CVE - CVE-2026-54515 -> We still have a dependency affected by this CVE - CVE-2026-54516 -> We still have a dependency affected by this CVE - CVE-2026-54517 -> We still have a dependency affected by this CVE - CVE-2026-54518 -> We still have a dependency affected by this CVE For the Jackson CVEs, we have already updated our dependency to fix these issues. Therefore, newer Apache Kafka versions (4.2 or newer) released after July 9th will include a non-vulnerable dependency for these CVEs. You can see the PR where this was fixed here: https://github.com/apache/kafka/pull/22793 However, based on static analysis of the 4.3.1 distribution, the code doesn't seem to reach any of the vulnerable classes highlighted in these CVEs. The only case where this might be tangentially affected is Trogdor which is a test framework and should not be used in production. Regarding the version release, there is no planned date for an eventual 4.3.2 version at the moment of writing this email. Thanks for staying vigilant. Let me know if you disagree with the above assessment. Best, On Tue, Jul 14, 2026 at 7:06 AM Vivek Agarwal B via users < users@kafka.apache.org> wrote: > Hello Team, > > > > Could you please confirm the plan to release a new Kafka version that > includes fixes for vulnerabilities identified primarily in transient > dependencies such as Jackson, JLine, OpenTelemetry and a few others? > > > > These are detected in kafka v4.3.0. > > > > Below is the list of identified vulnerabilities for reference: > > > > Kafka core > > CVE-2026-41115 > > > > OpenTelemetry > > CVE-2026-39882 > > CVE-2026-41078 > > CVE-2026-40894 > > CVE-2026-44967 > > > > JLine > > GHSA-2r2c-cx56-8933 > > GHSA-47qp-hqvx-6r3f > > XRAY-1005950 > > XRAY-1005951 > > > > Jackson - > > CVE-2026-54512 > > CVE-2026-54513 > > CVE-2026-54514 > > CVE-2026-54515 > > CVE-2026-54516 > > CVE-2026-54517 > > CVE-2026-54518 > > > > Regards > Vivek > > -- [image: Aiven] <https://www.aiven.io> *Josep Prat* Sr Engineering Director, Streaming Services, *Aiven* josep.prat@aiven.io | +491715557497 aiven.io <https://www.aiven.io/> [image: LinkedIn] <https://www.linkedin.com/company/aiven/posts/?feedView=all> [image: X] <https://x.com/aiven_io> [image: GitHub] <https://github.com/aiven> [image: YouTube] <https://www.youtube.com/@Aiven_io> [image: Facebook] <https://www.facebook.com/aivencloud> *Aiven Deutschland GmbH* Rosenthaler Straße 43-45, 10178 Berlin Geschäftsführer: Oskari Saarenmaa, Kenneth Chen Amtsgericht Charlottenburg, HRB 209739 B
Comments
Post a Comment