The Apache Pinot team is pleased to announce the release of Apache Pinot
1.5.1.
Apache Pinot is a real-time distributed OLAP datastore purpose-built for
low-latency, high-throughput analytics on streaming and batch data.
Apache Pinot 1.5.1 is a security patch release based on 1.5.0. It contains
only dependency updates and dependency-exclusion changes to resolve reported
CVEs -- there are no functional, API, configuration, or wire-format changes,
so it is a drop-in upgrade from 1.5.0. A vulnerability scan of the binary
distribution reports 0 critical and 0 high findings.
Resolved CVEs (dependency updates vs 1.5.0):
- Netty 4.1.122.Final -> 4.1.134.Final
- Apache Log4j Core 2.25.3 -> 2.26.0
- async-http-client 3.0.7 -> 3.0.10
- Apache HttpClient 5 5.6 -> 5.6.1
- Apache Pulsar 4.0.9 -> 4.0.10 (BouncyCastle bcprov/bcpkix/bcutil
1.84)
- commons-configuration2 2.13.0 -> 2.15.0
- CVE-2026-2332 (Jetty): the unused embedded Hadoop Jetty is now excluded
and stripped from the distribution, so it no longer ships.
The release is available for download at:
https://pinot.apache.org/download/
Release notes:
https://github.com/apache/pinot/releases/tag/release-1.5.1
Documentation:
https://docs.pinot.apache.org/
We would like to thank all the contributors who made this release possible.
Regards,
The Apache Pinot Team