Hi Luke, Need answers to the following questions –
1. When is the next release planned which have fix for this CVE. 2. What log4j/jetty/Jackson-core version will be used in this upcoming kafka release. Share the JIRA links if available. Regards Vivek From: Luke Chen <[email protected]> Sent: 15 May 2026 12:39 To: [email protected] Cc: [email protected]; Vivek Agarwal B <[email protected]>; Apoorva Maheshwari <[email protected]> Subject: Re: Kafka new version info You don't often get email from [email protected]<mailto:[email protected]>. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification> Hi Apoorva, This is an open source project, so you can search in the JIRA or check the source code to find the answer. Like the first CVE-2025-67030, you will find this ticket after searching it: https://issues.apache.org/jira/browse/KAFKA-20373 And it showed it'll be included in v4.2.1/v4.3.0. If you find it is not fixed yet, submitting PRs to fix them is highly appreciated. Thank you, Luke On Fri, May 15, 2026 at 2:18 PM Apoorva Maheshwari via users <[email protected]<mailto:[email protected]>> wrote: Hello Team, Could you please confirm the plan to release a new Kafka version that includes fixes for vulnerabilities identified primarily in transient dependencies such as Jetty, log4j, Jackson, and a few others? Below is the list of identified vulnerabilities for reference: CVE-2025-67030 CVE-2026-39882 CVE-2026-41078 CVE-2026-40894 CVE-2026-34477 CVE-2026-34478 CVE-2026-34479 CVE-2026-34480 CVE-2026-34481 CVE-2026-1605 CVE-2025-11143 CVE-2026-2332 CVE-2026-5795 GHSA-72hv-8253-57qq Regards Apoorva Maheshwari
